CISM Question #118: Real Exam Question with Answer & Explanation

The correct answer is B: KRIs that align with business processes.. Key risk indicators must primarily align with business processes to provide meaningful insights into risks that directly impact organizational objectives.

Submitted by anjalisingh· Apr 18, 2026Information Security Risk Management

Question

When determining key risk indicators (KRIs) for use in an information security program it is MOST important to select:

Options

AKRIs that track both short-term and long-term performance.
BKRIs that align with business processes.
CKRIs that are quantifiable.
Das many KRIs as possible to catch risk events from the broadest areas.

Explanation

Key risk indicators must primarily align with business processes to provide meaningful insights into risks that directly impact organizational objectives.

Common mistakes.

A. While tracking both short-term and long-term performance is good, it's secondary to ensuring the KRIs are fundamentally relevant to the business.
C. Quantifiability is a characteristic of a good KRI, but the most important aspect is its relevance and alignment with what the business values.
D. Selecting too many KRIs can lead to "indicator fatigue" and diminish the focus on truly critical risks; quality and relevance are more important than quantity.

Concept tested. Key Risk Indicator (KRI) selection

Topics

#Key Risk Indicators (KRIs)#Business alignment#Risk management principles#Information security program

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions