Certified Information Security Manager (CISM) — Question 772

Which of the following is the PRIMARY reason to monitor key risk indicators (KRIs) related to information security?

Answer options

• A. To alert on unacceptable risk
• B. To identity residual risk
• C. To reassess risk appetite
• D. To benchmark control performance

Correct answer: A

Explanation

The primary reason for monitoring key risk indicators (KRIs) is to provide alerts on unacceptable risk levels, allowing organizations to take timely action. The other options, while important, serve secondary roles in the overall risk management process rather than being the primary focus of KRI monitoring.