Certified Information Security Manager (CISM) — Question 1239

Which of the following is the BEST way for an organization to determine the maturity level of its information security program?

Answer options

• A. Review the results of information security awareness testing.
• B. Validate the effectiveness of implemented security controls.
• C. Benchmark the information security policy against industry standards.
• D. Track the trending of information security incidents.

Correct answer: B

Explanation

The correct answer is B because validating the effectiveness of implemented security controls directly assesses how well the security measures are functioning and their ability to protect the organization. The other options, while useful for understanding aspects of security awareness or policy alignment, do not provide a comprehensive view of the overall maturity of the security program.