Certified Information Security Manager (CISM) — Question 999

Which of the following is the BEST indication that an information security control is no longer relevant?

Answer options

• A. The control is not cost efficient.
• B. The control does not support a specific business function.
• C. IT management does not support the control.
• D. The technology related to the control is obsolete.

Correct answer: B

Explanation

The most significant indication that a control is no longer relevant is when it does not support a specific business function, as it means the control is not aligned with current organizational needs. While cost efficiency, management support, and obsolescence are important factors, they do not necessarily indicate the control's relevance to business operations.