Certified Information Security Manager (CISM) — Question 1217

An information security manager has been asked to determine whether an information security initiative has reduced risk to an acceptable level. Which of the following activities would provide the BEST information for the information security manager to draw a conclusion?

Answer options

• A. Initiating a cost-benefit analysis of the implemented controls
• B. Performing a risk assessment
• C. Reviewing the risk register
• D. Conducting a business impact analysis (BIA)

Correct answer: B

Explanation

Performing a risk assessment is the best way to determine if the initiative has effectively reduced risk, as it evaluates potential threats and vulnerabilities directly. In contrast, a cost-benefit analysis focuses on financial implications, a risk register is a tracking tool rather than an assessment method, and a business impact analysis (BIA) assesses potential impacts rather than current risk levels.