Certified Information Security Manager (CISM) — Question 707

Which of the following is the BEST way to determine the gap between the present and desired state of an information security program?

Answer options

• A. Determine whether critical success factors (CSFs) have been defined.
• B. Review and update current operational procedures.
• C. Perform a risk analysis for critical applications.
• D. Conduct a capability maturity model evaluation.

Correct answer: D

Explanation

The correct answer, D, involves a capability maturity model evaluation, which allows for a comprehensive assessment of the program's maturity level and identifies gaps. Options A, B, and C, while important for different aspects of security, do not provide a structured framework for understanding the overall maturity and gaps between current and desired states.