CISM Question #170: Real Exam Question with Answer & Explanation

The correct answer is D: A decrease in the number of security audit findings. A decrease in security audit findings is the strongest lagging indicator of framework success because audits independently verify that security controls are effective and that vulnerabilities and weaknesses are being remediated. Fewer findings directly reflect improved security p

Submitted by weili_xi· Apr 18, 2026Information Security Program Development and Management

Question

Which of the following metrics would BEST demonstrate the success of a newly implemented information security framework?

Options

AA decrease in the number of security policy exceptions
BAn increase in the number of compliant business processes
CAn increase in the number of identified security incidents
DA decrease in the number of security audit findings

Explanation

A decrease in security audit findings is the strongest lagging indicator of framework success because audits independently verify that security controls are effective and that vulnerabilities and weaknesses are being remediated. Fewer findings directly reflect improved security posture attributable to the framework. A decrease in policy exceptions (A) could indicate stricter enforcement rather than improved security. An increase in compliant processes (B) shows adoption but not necessarily risk reduction. An increase in identified incidents (C) could reflect better detection, which is positive, but higher incident counts are counterintuitive as a success metric. Reduced audit findings provide the clearest, most authoritative evidence of improvement.

Topics

#Security Framework Metrics#Performance Measurement#Audit Findings#Framework Success

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions