Certified Information Security Manager (CISM) — Question 953

Which of the following is the BEST indication that an organization has integrated information security governance with corporate governance?

Answer options

• A. Impact is measured according to business loss when assessing IT risk.
• B. Service levels for security vendors are defined according to business needs.
• C. Security policies are reviewed whenever business objectives are changed.
• D. Security performance metrics are measured against business objectives.

Correct answer: D

Explanation

The correct answer, D, signifies that security performance is being assessed in relation to the organization's overall goals, indicating a strong alignment between security and corporate governance. Options A, B, and C, while relevant to security management, do not explicitly demonstrate the integration of security governance with corporate governance as effectively as option D does.