Certified Information Systems Security Professional (CISSP) — Question 323

Which of the following is established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls?

Answer options

• A. Security Assessment Report (SAR)
• B. Organizational risk tolerance
• C. Risk assessment report
• D. Information Security Continuous Monitoring (ISCM)

Correct answer: D

Explanation

The correct answer is Information Security Continuous Monitoring (ISCM) because it specifically involves the ongoing collection of security-related information based on established metrics and existing controls. The other options, such as Security Assessment Report (SAR) and Risk assessment report, do not focus on continuous monitoring but rather on specific assessments or evaluations, while Organizational risk tolerance relates to the level of risk an organization is willing to accept rather than the collection of information.