Certified Information Security Manager (CISM) — Question 262

Which of the following is the MOST important consideration when reporting the effectiveness of an information security program to key business stakeholders?

Answer options

• A. Linking security metrics to the business impact analysis (BIA)
• B. Demonstrating a decrease in information security incidents
• C. Demonstrating cost savings of each control
• D. Linking security metrics to business objectives

Correct answer: D

Explanation

The correct answer is D because aligning security metrics with business objectives ensures that the security program is relevant to the organization's goals, making it easier for stakeholders to understand its value. Options A and B, while important, do not directly tie the security efforts to the broader business context. Option C is more focused on financial aspects rather than overall alignment with business objectives.