Certified Information Security Manager (CISM) — Question 858

The PRIMARY purpose of implementing information security governance metrics is to:

Answer options

• A. measure alignment with best practices.
• B. refine control operations.
• C. assess operational and program metrics.
• D. guide security towards the desired state.

Correct answer: D

Explanation

The correct answer, D, emphasizes guiding security initiatives to achieve a specific desired state, which is the essence of governance. Options A and B focus on measuring and refining processes, while C is about assessment rather than direction, making them less aligned with the primary purpose.