Certified Information Security Manager (CISM) — Question 427

Using which of the following metrics will BEST help to determine the resiliency of IT infrastructure security controls?

Answer options

• A. Percentage of outstanding high-risk audit issues
• B. Number of incidents resulting in disruptions
• C. Number of successful disaster recovery tests
• D. Frequency of updates to system software

Correct answer: B

Explanation

The number of incidents resulting in disruptions directly reflects the effectiveness of security controls in place; fewer incidents indicate stronger resilience. In contrast, the percentage of outstanding high-risk audit issues, the number of successful disaster recovery tests, and the frequency of software updates do not directly measure operational resilience against disruptions.