Certified Information Security Manager (CISM) — Question 202

Which of the following BEST enables an information security manager to determine the comprehensiveness of an organization’s information security strategy?

Answer options

• A. Internal security audit
• B. Organizational risk appetite
• C. External security audit
• D. Business impact analysis (BIA)

Correct answer: B

Explanation

The organizational risk appetite provides insight into how much risk the organization is willing to accept, which is crucial for evaluating the effectiveness of the information security strategy. An internal or external security audit may reveal vulnerabilities, but they do not directly assess the alignment of security measures with the organization's risk tolerance. A Business Impact Analysis (BIA) helps identify critical functions but does not specifically measure the strategy's comprehensiveness.