Certified Information Security Manager (CISM) — Question 281

To implement effective continuous monitoring of IT controls, an information security manager needs to FIRST ensure:

Answer options

• A. security alerts are centralized.
• B. periodic scanning of IT systems is in place.
• C. metrics are communicated to senior management.
• D. information assets have been classified.

Correct answer: D

Explanation

The correct answer is D because classifying information assets is essential for understanding their sensitivity and criticality, which informs monitoring strategies. While centralized security alerts, periodic scanning, and communicating metrics are important, they become more effective once assets are properly classified.