Certified Information Security Manager (CISM) — Question 436

Which of the following is the PRIMARY responsibility of an information security governance committee?

Answer options

• A. Reviewing the information security risk register
• B. Approving changes to the information security strategy
• C. Discussing upcoming information security projects
• D. Reviewing monthly information security metrics

Correct answer: B

Explanation

The correct answer is B because the primary role of an information security governance committee is to approve changes to the overarching security strategy. While reviewing risk registers and discussing projects are important, they are not the main focus of the committee's responsibilities.