Certified Information Security Manager (CISM) — Question 94

Which of the following BEST demonstrates that security controls are effective?

Answer options

• A. Audit report
• B. Tabletop simulation
• C. Risk and control self-assessment
• D. Business impact analysis (BIA) results

Correct answer: A

Explanation

An audit report provides a formal evaluation of the effectiveness of security controls, making it the best indicator of their performance. In contrast, a tabletop simulation, risk and control self-assessment, and BIA results provide valuable insights but do not offer the same level of objective verification as an audit report.