Certified Information Security Manager (CISM) — Question 859

Which of the following BEST enables an information security manager to demonstrate the effectiveness of the information security and risk program to senior management?

Answer options

• A. Updated risk assessments
• B. Audit reports
• C. Counts of information security incidents
• D. Monthly metrics

Correct answer: D

Explanation

Monthly metrics provide ongoing, quantifiable data that can clearly illustrate trends and improvements in the information security and risk program, making it easier for senior management to understand its effectiveness. In contrast, updated risk assessments, audit reports, and counts of incidents may not provide a comprehensive view of the overall program's performance over time.