CISA Question #199: Real Exam Question with Answer & Explanation

Question

Which of the following is the GREATEST benefit of using a capability maturity model to present audit findings related to an organization's cybersecurity posture?

Options

• AIt enables the adoption of a common standard for regulatory surveillance
• BIt provides a roadmap for long-term improvement
• CIt provides a benchmark against other organizations
• DIt can confirm deficiencies and correction plans

Explanation

A capability maturity model (CMM) organizes findings along a progression of levels (e.g., Initial → Managed → Optimized), which gives the organization a structured roadmap showing where they are today and what steps are needed to reach higher maturity - making long-term improvement planning the primary value of this presentation format.

Why the distractors fall short:

• A is wrong because CMMs are not regulatory frameworks; they don't establish or align with surveillance standards for compliance bodies.
• C is partially true (some CMMs enable benchmarking), but benchmarking is a secondary byproduct, not the greatest benefit - the model's core purpose is guiding internal improvement, not industry comparison.
• D is wrong because confirming deficiencies and correction plans is something any audit methodology can do; it doesn't require a maturity model specifically.

Memory tip: Think of a maturity model as a "GPS for improvement" - it tells you your current level and plots the route to higher levels. When you see "roadmap" or "improvement path" in an answer, that aligns with the maturity concept (levels you climb over time), not just a snapshot audit.

No community discussion yet for this question.