CISM Question #790: Real Exam Question with Answer & Explanation

The correct answer is B: No key control indicators (KCIs) have been implemented.. Key Control Indicators (KCIs) are essential to measuring the effectiveness and performance of security controls. Without them: The organization cannot assess if controls are working as intended It's difficult to demonstrate due diligence Risks may go unnoticed While other answers

Submitted by asante_acc· Apr 18, 2026Information Security Program Development and Management

Question

Which of the following should be of GREATEST concern regarding an organization's security controls?

Options

ASome controls are performing outside of an acceptable range.
BNo key control indicators (KCIs) have been implemented.
CControl ownership has not been updated.
DControl gap analysis is outdated.

Explanation

Key Control Indicators (KCIs) are essential to measuring the effectiveness and performance of security controls. Without them: The organization cannot assess if controls are working as intended It's difficult to demonstrate due diligence Risks may go unnoticed While other answers point to operational concerns, the complete absence of KCIs presents a critical governance gap that compromises the organization's ability to monitor and manage "KCIs provide actionable metrics that support proactive control management and are fundamental to governance and assurance."

Topics

#Security Controls#Control Monitoring#Key Control Indicators#Control Effectiveness

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions