Certified Information Security Manager (CISM) — Question 276

The PRIMARY purpose for defining key risk indicators (KRIs) for a security program is to:

Answer options

• A. support investments in the security program.
• B. compare security program effectiveness to benchmarks.
• C. provide information needed to take action.
• D. ensure mitigating controls meet specifications.

Correct answer: C

Explanation

The correct answer, C, emphasizes that KRIs are essential for providing the data required to make informed decisions and take necessary actions. Options A, B, and D, while relevant, do not capture the primary intent of KRIs, which is to facilitate actionable insights rather than merely supporting investments, benchmarks, or specifications.