Certified Information Security Manager (CISM) — Question 598

An organization is implementing an information security governance framework. To communicate the program's effectiveness to stakeholders, it is MOST important to establish:

Answer options

• A. a control self-assessment (CSA) process.
• B. metrics for each milestone.
• C. automated reporting to stakeholders.
• D. a monitoring process for the security policy.

Correct answer: B

Explanation

Establishing metrics for each milestone allows the organization to quantitatively measure the effectiveness of the information security governance framework, making it easier to communicate progress and success to stakeholders. While control self-assessments, automated reporting, and monitoring processes are important, they do not provide the same level of clarity and direct measurement of success as milestones metrics do.