Certified Information Security Manager (CISM) — Question 879

Which of the following is the BEST way to monitor the effectiveness of security controls?

Answer options

• A. Review application and system audit logs.
• B. Conduct regular threat assessments.
• C. Establish and report security metrics.
• D. Benchmark security controls against similar organizations.

Correct answer: C

Explanation

Establishing and reporting security metrics (C) provides quantifiable data that helps in assessing the performance of security controls over time. While reviewing logs (A), conducting threat assessments (B), and benchmarking against others (D) can provide insights, they do not offer the comprehensive and systematic approach to measuring effectiveness that metrics do.