Certified Information Security Manager (CISM) — Question 896

Which of the following is MOST helpful to identify whether information security policies have been followed?

Answer options

• A. Corrective controls
• B. Directive controls
• C. Detective controls
• D. Preventive controls

Correct answer: C

Explanation

The correct answer is C, Detective controls, as they are designed to identify and alert when security policies are not being followed. Corrective controls (A) are used to fix issues after they occur, Directive controls (B) provide guidance on how to comply, and Preventive controls (D) aim to stop violations before they happen, but none directly assess compliance with existing policies.