Certified Information Security Manager (CISM) — Question 511

Which of the following methods is the BEST way to demonstrate that an information security program provides appropriate coverage?

Answer options

• A. Gap assessment
• B. Vulnerability scan report
• C. Maturity assessment
• D. Security risk analysis

Correct answer: D

Explanation

The correct answer is D, as a Security risk analysis provides a comprehensive evaluation of potential threats and vulnerabilities, ensuring coverage of all critical areas. While a Gap assessment (A) identifies discrepancies, a Vulnerability scan report (B) focuses on existing vulnerabilities, and a Maturity assessment (C) measures the program's effectiveness without necessarily demonstrating coverage.