Certified Information Security Manager (CISM) — Question 624

What is the PRIMARY benefit of using key performance indicators (KPIs) for information security risk management?

Answer options

• A. Set targets against which the organization's information security function can be evaluated.
• B. Prevent potential undesirable events from affecting information security.
• C. Identify risk events that have already occurred from affecting information security.
• D. Establish the process for setting organizational objectives in light of information security risk.

Correct answer: A

Explanation

The correct answer is A because KPIs provide measurable targets that enable an organization to assess the effectiveness of its information security efforts. Options B and C focus on preventing or identifying past events, which are not the primary purpose of KPIs, while option D relates to setting objectives rather than evaluating performance.