Certified Information Security Manager (CISM) — Question 468

Which of the following is MOST helpful in determining an organization's current capacity to mitigate risks?

Answer options

• A. Capability maturity model
• B. Vulnerability assessment
• C. Business impact analysis (BIA)
• D. IT security risk and exposure

Correct answer: A

Explanation

The Capability Maturity Model (CMM) is designed to evaluate an organization's processes and their effectiveness in risk management, making it the most relevant option. A Vulnerability Assessment focuses on identifying weaknesses, while a Business Impact Analysis (BIA) assesses potential impacts of risks, and IT security risk and exposure deals with specific threats rather than overall capacity.