Certified Information Security Manager (CISM) — Question 270

Which of the following is the MOST effective approach for determining whether an organization's information security program supports the information security strategy?

Answer options

• A. Ensure resources meet information security program needs
• B. Audit the information security program to identify deficiencies
• C. Identify gaps impacting information security strategy
• D. Develop key performance indicators (KPIs) of information security

Correct answer: D

Explanation

Developing key performance indicators (KPIs) is the most effective approach because it allows for measurable assessment of how well the information security program supports the strategy. While auditing and identifying gaps are useful, they do not provide the ongoing measurement and alignment necessary to ensure effectiveness, unlike KPIs which facilitate continuous improvement and adherence to the strategy.