Certified Information Security Manager (CISM) — Question 1228

Which of the following MUST be established to maintain an effective information security governance framework?

Answer options

• A. Security controls automation
• B. Change management processes
• C. Security policy provisions
• D. Defined security metrics

Correct answer: C

Explanation

The correct answer is C, as having clear security policy provisions is fundamental for guiding the overall security strategy and compliance within an organization. Options A and B, while important, are not mandatory for governance, and option D, although useful for measurement, does not provide the foundational framework like a security policy does.