Certified Information Security Manager (CISM) — Question 464

Which of the following is MOST important to the effectiveness of an information security program?

Answer options

• A. Organizational culture
• B. Risk management
• C. IT governance
• D. Security metrics

Correct answer: A

Explanation

Organizational culture is fundamental to the effectiveness of an information security program because it shapes employee behavior and attitudes towards security practices. If the culture promotes security awareness and compliance, the program is more likely to succeed. In contrast, while risk management, IT governance, and security metrics are important components, they cannot be effectively implemented without a supportive organizational culture.