Certified in Risk and Information Systems Control (CRISC) — Question 463

Which of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project life cycle?

Answer options

• A. Number of employees completing project-specific security training
• B. Number of projects going live without a security review
• C. Number of security projects started in core departments
• D. Number of security-related status reports submitted by project managers

Correct answer: D

Explanation

Option D is correct because the number of security-related status reports submitted by project managers directly reflects the ongoing management and tracking of security requirements throughout the project life cycle. In contrast, option A focuses on training completion, option B indicates a lack of security reviews, and option C addresses the initiation of security projects rather than their management within existing projects.