Certified Information Security Manager (CISM) — Question 863

Which of the following is the PRIMARY reason for an information security manager to periodically review existing controls?

Answer options

• A. To prioritize security initiatives
• B. To avoid redundant controls
• C. To align with emerging risk
• D. To address end-user control complaints

Correct answer: C

Explanation

The correct answer is C because aligning with emerging risks ensures that the security posture remains effective against new threats. Options A and B are important but are secondary to the need to adapt to evolving risks. Option D, while relevant, is not a primary reason for reviewing controls.