Certified Information Security Manager (CISM) — Question 553
Which of the following would provide the BEST evidence to senior management that security control performance has improved?
Answer options
- A. Demonstrated return on security investment
- B. Review of security metrics trends
- C. Results of an emerging threat analysis
- D. Reduction in inherent risk
Correct answer: B
Explanation
The best evidence of improved security control performance is found in the review of security metrics trends, as this provides quantifiable data showing changes over time. While a demonstrated return on security investment and reduction in inherent risk are valuable, they do not directly indicate performance improvements in controls. Results of an emerging threat analysis are informative but do not reflect past performance changes.