Certified Information Security Manager (CISM) — Question 1131

Which of the following is MOST important for the information security manager to include when presenting changes in the security risk profile to senior management?

Answer options

• A. Performance measures for existing controls
• B. Number of false positives
• C. Security training test results
• D. Industry benchmarks

Correct answer: A

Explanation

Including performance measures for existing controls is crucial because it demonstrates the effectiveness of current security measures and helps senior management understand the impact of any changes in the risk profile. The other options, while informative, do not provide as direct an insight into the effectiveness of the security posture as performance measures do.