Certified Information Security Manager (CISM) — Question 1222

Which of the following metrics would BEST monitor how well information security requirements are incorporated into the change management process?

Answer options

• A. Information security incidents caused due to unauthorized changes
• B. Unauthorized changes in the environment
• C. Denied changes due to insufficient security details
• D. Information security-related changes

Correct answer: C

Explanation

Option C is correct because it directly reflects how often changes are rejected due to a lack of security information, indicating that security requirements are not being adequately considered. Options A and B focus on incidents and unauthorized changes, which do not measure the integration of security in the process, while option D does not specifically address denial due to security issues.