Certified Information Security Manager (CISM) — Question 338

Which of the following is a desired outcome of information security governance?

Answer options

• A. Penetration test
• B. A maturity model
• C. Improved risk management
• D. Business agility

Correct answer: C

Explanation

Improved risk management is a fundamental aim of information security governance, as it ensures that risks are identified, assessed, and mitigated effectively. While penetration tests and maturity models can contribute to security, they are not the primary outcomes of governance. Business agility, although beneficial, is not directly a result of security governance efforts.