New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca CISM Exam - Topic 7 Question 91 Discussion

Actual exam question for Isaca's CISM exam
Question #: 91
Topic #: 7
[All CISM Questions]

Which of the following is the BEST indication of an effective information security program?

Show Suggested Answer Hide Answer
Suggested Answer: A

Comprehensive and Detailed Step-by-Step Explanation:

An effective information security program aims to manage risks to acceptable levels while supporting business objectives.

A . Risk is treated to an acceptable level: This is the BEST answer as it directly reflects the program's success in mitigating risks within the organization's tolerance levels.

B . The number of security incidents reported by staff has increased: An increase in reported incidents might indicate improved awareness but does not necessarily reflect overall effectiveness.

C . Key risk indicators (KRIs) are established: KRIs are important for monitoring risks but do not indicate whether risks are being effectively managed.

D . Policies are reviewed and approved by senior management: While essential, this action alone does not demonstrate the program's effectiveness.


by Mona at Jan 14, 2025, 02:05 PM

Limited Time Offer

25%

Off

Get Premium CISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Mozelle
3 months ago
Wait, how can we treat risk to an "acceptable level"? What does that even mean?
upvoted 0 times
...
Lakeesha
3 months ago
D sounds good, but are the policies actually enforced?
upvoted 0 times
...
Kirk
3 months ago
B seems counterintuitive. More incidents reported doesn't mean it's effective!
upvoted 0 times
...
Gilma
4 months ago
I think C is important too, though. KRIs help track progress.
upvoted 0 times
...
Sonia
4 months ago
A is definitely the best choice. Risk management is key!
upvoted 0 times
...
Deangelo
4 months ago
Reviewing policies by senior management sounds like a good practice, but I wonder if that alone is enough to indicate the overall effectiveness of the program.
upvoted 0 times
...
Stefany
4 months ago
I feel like establishing key risk indicators is important, but I can't recall if they are the best measure of effectiveness compared to the other options.
upvoted 0 times
...
Melda
4 months ago
I think the increase in reported incidents might actually suggest that employees are more aware of security issues, but it doesn't necessarily mean the program is effective.
upvoted 0 times
...
Tish
5 months ago
I remember discussing how treating risk to an acceptable level is crucial for an effective security program, but I'm not sure if that's the best indication.
upvoted 0 times
...
Noel
5 months ago
I like the idea of looking at key risk indicators as a sign of an effective program. That shows they're actively monitoring and managing the risks. I might go with C on this one.
upvoted 0 times
...
Alpha
5 months ago
I'm a bit confused by the options. Wouldn't an increase in reported security incidents actually be a bad sign, not a good one? That's what I'm leaning away from.
upvoted 0 times
...
King
5 months ago
I'm pretty confident that the best answer is A - risk being treated to an acceptable level. That's really the core goal of an effective security program, isn't it?
upvoted 0 times
...
Franchesca
5 months ago
This seems like a tricky question. I'll need to think carefully about the different options and what they really mean for an effective information security program.
upvoted 0 times
...
Sherita
1 year ago
Wow, these choices are quite the security buffet. I'll take one of each, please!
upvoted 0 times
...
Jina
1 year ago
Hmm, I'm not sure. Shouldn't the number of incidents be going down if the program is effective? B seems counterintuitive to me.
upvoted 0 times
...
Avery
1 year ago
I'm going with D. If senior management is approving the policies, that's a good sign the program is on the right track.
upvoted 0 times
Dorian
11 months ago
I agree, having senior management involved is crucial for a strong information security program.
upvoted 0 times
...
Alesia
11 months ago
D) Policies are reviewed and approved by senior management.
upvoted 0 times
...
Wenona
11 months ago
C) Key risk indicators (KRIs) are established.
upvoted 0 times
...
Jeannetta
12 months ago
A) Risk is treated to an acceptable level.
upvoted 0 times
...
...
Kiley
1 year ago
I disagree, I think C is the correct answer. Key risk indicators are crucial for measuring the program's effectiveness.
upvoted 0 times
Edelmira
1 year ago
C) Key risk indicators (KRIs) are established.
upvoted 0 times
...
Julene
1 year ago
A) Risk is treated to an acceptable level.
upvoted 0 times
...
...
Cassi
1 year ago
I believe C) Key risk indicators (KRIs) are established is also important. It helps in monitoring and measuring risks.
upvoted 0 times
...
Shayne
1 year ago
The best indication of an effective information security program is definitely A. Risk being treated to an acceptable level. That's the whole point, isn't it?
upvoted 0 times
Fannie
1 year ago
C) Key risk indicators (KRIs) are established.
upvoted 0 times
...
Barrett
1 year ago
A) Risk is treated to an acceptable level.
upvoted 0 times
...
...
Rodolfo
1 year ago
I agree with Raina. If risks are managed well, then the information security program is effective.
upvoted 0 times
...
Raina
1 year ago
I think the best indication is A) Risk is treated to an acceptable level.
upvoted 0 times
...

Save Cancel