Certified Information Security Manager (CISM) — Question 843

When selecting metrics to monitor the effectiveness of an information security program, it is MOST important for an information security manager to:

Answer options

• A. identify the program's risk and compensating controls.
• B. consider the organization's business strategy.
• C. consider the strategic objectives of the program.
• D. leverage industry benchmarks.

Correct answer: C

Explanation

The correct answer is C because aligning metrics with the strategic objectives of the program ensures that the monitoring efforts directly support the overall goals of the security initiative. Options A, B, and D are important but do not focus specifically on how metrics relate to the program's objectives, which is crucial for assessing effectiveness.