Certified Information Security Manager (CISM) — Question 438

Which of the following is an important criterion for developing effective key risk indicators (KRIs) to monitor information security risk?

Answer options

• A. The indicator should provide a retrospective view of risk impacts and be measured annually
• B. The indicator should focus on IT and accurately represent risk variances
• C. The indicator should align with key performance indicators (KPIs) and measure root causes of process performance issues
• D. The indicator should possess a high correlation with a specific risk and be measured on a regular basis

Correct answer: D

Explanation

The correct answer is D because effective KRIs need to have a strong correlation with specific risks and should be monitored frequently to provide timely insights. Option A is incorrect as retrospective views do not provide proactive risk management. Option B focuses too narrowly on IT without considering broader risk factors, and option C, while relevant, does not emphasize the importance of correlation and regular measurement.