Certified Information Security Manager (CISM) — Question 972
Which of the following is BEST used to determine the maturity of an information security program?
Answer options
- A. Organizational risk appetite
- B. Risk assessment results
- C. Security metrics
- D. Security budget allocation
Correct answer: C
Explanation
Security metrics provide quantitative data that can reflect the effectiveness and maturity of an information security program. While organizational risk appetite, risk assessment results, and security budget allocation are important, they do not offer the same direct measurement of program performance as security metrics do.