Certified Information Security Manager (CISM) — Question 393

Which of the following should be the PRIMARY focus of a status report on the information security program to senior management?

Answer options

• A. Confirming the organization complies with security policies
• B. Verifying security costs do not exceed the budget
• C. Demonstrating risk is managed at the desired level
• D. Providing evidence that resources are performing as expected

Correct answer: C

Explanation

The correct answer is C because senior management is primarily concerned with how well risks are being managed to ensure organizational safety. While compliance, budget management, and resource performance are important, they are secondary to the overarching goal of effective risk management.