Q: 10
When establishing metrics for an information security program, the BEST approach is to identify
indicators that:
Options
Discussion
D Saw a similar question on a practice set, it's always about proving effectiveness for CISM metrics.
Its D - the point of security metrics in CISM is to prove if your controls and program are actually working. Just supporting initiatives (B) isn't enough, you need measurable proof that efforts are effective. Pretty sure that's what ISACA wants here. Open to other views though.
I don't think it's B, since just supporting initiatives misses the point of why we use metrics. D fits better because CISM always stresses demonstrating effectiveness. B is tempting but feels like a distractor here.
D, that's what most practice tests and the official CISM guide focus on for metrics. Always about showing program effectiveness.
C/D? If the org's risk culture is super strong, C could make sense too.
Option B since supporting big initiatives seems like what they want here. D looks like a trap.
Nicely worded scenario, makes it easier to analyze. I think B since supporting major initiatives means aligning metrics to current projects, which feels like a good real-world approach. Anyone else think that fits the intent?
Why not D instead of B? Just supporting initiatives doesn't prove the program is effective, which CISM usually wants.
Be respectful. No spam.
