Certified Information Security Manager (CISM) — Question 39

An information security manager MUST have an understanding of an information security program?

Answer options

• A. Understanding current and emerging technologies
• B. Establishing key performance indicators (KPIs)
• C. Conducting periodic risk assessments
• D. Obtaining stakeholder input

Correct answer: C

Explanation

The correct answer is C because conducting periodic risk assessments is essential for identifying vulnerabilities and ensuring the effectiveness of the security program. While understanding technologies, establishing KPIs, and obtaining stakeholder input are important, they do not directly address the critical need for ongoing risk evaluation in an information security context.