Certified Information Security Manager (CISM) — Question 717

The fundamental purpose of establishing security metrics is to:

Answer options

• A. adopt security best practices.
• B. establish security benchmarks.
• C. provide feedback on control effectiveness.
• D. increase return on investment (ROI).

Correct answer: C

Explanation

The correct answer, C, highlights that security metrics are designed to evaluate how well security controls are performing. While options A, B, and D are important aspects of security management, they do not directly address the role of metrics in assessing control effectiveness.