Certified Information Security Manager (CISM) — Question 785

Which of the following is MOST important to include in a report to key stakeholders regarding the effectiveness of an information security program?

Answer options

• A. Security incident details
• B. Security metrics
• C. Security risk exposure
• D. Security baselines

Correct answer: B

Explanation

Including Security metrics in the report provides quantitative data that demonstrates the effectiveness of the information security program, allowing stakeholders to make informed decisions. While Security incident details, Security risk exposure, and Security baselines are important, they do not offer the same level of comprehensive assessment regarding overall program performance.