Certified Information Security Manager (CISM) — Question 503

Which of the following provides the MOST relevant information to determine the overall effectiveness of an information security program and underlying business processes?

Answer options

• A. SWOT analysis
• B. Industry benchmarks
• C. Cost-benefit analysis
• D. Balanced scorecard

Correct answer: D

Explanation

The Balanced scorecard is designed to provide a comprehensive view of organizational performance, including both financial and non-financial metrics, making it the most effective tool for evaluating an information security program. SWOT analysis focuses on strengths, weaknesses, opportunities, and threats, but does not provide a complete picture. Industry benchmarks offer comparative insights but lack the depth of internal assessment, while cost-benefit analysis primarily evaluates financial aspects rather than overall effectiveness.