CISM Question #220: Real Exam Question with Answer & Explanation

Question

Which of the following is MOST important for an information security manager to regularly report to senior management?

Options

• AImpact of untreated risks
• BAudit report findings and action plans
• CProgress of current information security initiatives
• DThird-party risk reports

Explanation

Reporting the impact of untreated risks is most important because senior management's primary role is resource allocation and strategic decision-making - they need to understand what residual risks the organization is carrying and what the business consequences of inaction are. This directly supports governance accountability and helps executives make informed risk acceptance decisions.

Why the distractors fall short:

• B (Audit findings): Audit reports are tactical and operational; they're relevant to the security manager's team and process owners, not a top priority for senior leadership's strategic lens.
• C (Initiative progress): Project status updates are useful but secondary - management cares more about outcomes (risk posture) than activities (what the security team is working on).
• D (Third-party risk reports): Third-party risk is one component of overall risk, not the broadest or most critical view senior management needs regularly.

Memory tip: Think of senior management as a board of investors - they want to know "what could hurt us and how badly?" not "what are your teams doing day-to-day?" Untreated risk impact answers that question directly, making it the most governance-relevant metric to escalate upward.

No community discussion yet for this question.