Q: 10
When establishing metrics for an information security program, the BEST approach is to identify
indicators that:
Options
Discussion
Makes sense to go with D here. Metrics that prove effectiveness are what ISACA focuses on, it's what exam drills always mention. I could see C mattering if risk culture was the main angle, but not in this case.
Option D, The whole point of these metrics is to show if security controls are actually doing their job. Makes sense, right?
D Saw a similar question on a practice set, it's always about proving effectiveness for CISM metrics.
I get why C keeps coming up but D is the real ISACA-style pick.
Probably D, metrics should prove the security program's effectiveness. ISACA always circles back to measurable results here.
Its D - the point of security metrics in CISM is to prove if your controls and program are actually working. Just supporting initiatives (B) isn't enough, you need measurable proof that efforts are effective. Pretty sure that's what ISACA wants here. Open to other views though.
I don't think it's B, since just supporting initiatives misses the point of why we use metrics. D fits better because CISM always stresses demonstrating effectiveness. B is tempting but feels like a distractor here.
D, that's what most practice tests and the official CISM guide focus on for metrics. Always about showing program effectiveness.
C/D? If the org's risk culture is super strong, C could make sense too.
Option B since supporting big initiatives seems like what they want here. D looks like a trap.
Be respectful. No spam.
