CISM Question #850: Real Exam Question with Answer & Explanation

The correct answer is B: Establish and report security metrics.. Establishing and reporting security metrics (B) provides ongoing, quantifiable measurement of how well controls are performing over time. Metrics enable trend analysis, gap identification, and evidence-based reporting - the hallmarks of effective control monitoring. Threat assess

Submitted by fernanda_arg· Apr 18, 2026Information Security Program Development and Management

Question

Which of the following is the BEST way to monitor the effectiveness of security controls?

Options

AConduct regular threat assessments.
BEstablish and report security metrics.
CBenchmark security controls against similar organizations.
DReview application and system audit logs.

Explanation

Establishing and reporting security metrics (B) provides ongoing, quantifiable measurement of how well controls are performing over time. Metrics enable trend analysis, gap identification, and evidence-based reporting - the hallmarks of effective control monitoring. Threat assessments (A) identify what threats exist but do not measure whether controls are successfully countering them. Benchmarking (C) compares your posture to peers but does not measure the effectiveness of your specific controls. Reviewing audit logs (D) is a useful detective activity and feeds into metrics, but reviewing logs alone is reactive and does not constitute a systematic monitoring program. Metrics operationalize monitoring at scale.

Topics

#Security metrics#Control effectiveness#Performance monitoring#Information security program management

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions