Certified Information Security Manager (CISM) — Question 70

Which of the following is MOST important to include when reporting information security risk to executive leadership?

Answer options

• A. Key performance objectives and budget trends
• B. Security awareness training participation and residual risk exposures
• C. Risk analysis results and key risk indicators (KRIs)
• D. Information security risk management plans and control compliance

Correct answer: C

Explanation

The correct answer, C, emphasizes the importance of providing risk analysis results and key risk indicators, which are essential for executives to understand the organization's risk landscape. Options A, B, and D, while relevant, do not focus on the core aspects of risk that executives need to prioritize for decision-making.