CISM Question #901: Real Exam Question with Answer & Explanation

The correct answer is D: The metrics must align with business objectives.. Metrics are only meaningful if they measure something that matters to the organization. Aligning metrics to business objectives ensures they reflect actual organizational risk, support decision-making, and communicate security value in terms leadership understands. Including key

Submitted by emma.c· Apr 18, 2026Information Security Governance

Question

Which of the following is MOST important to creating meaningful information security metrics?

Options

AThe metrics must include key business systems.
BThe metrics must be approved by senior management.
CThe metrics must align to recognized industry standards.
DThe metrics must align with business objectives.

Explanation

Metrics are only meaningful if they measure something that matters to the organization. Aligning metrics to business objectives ensures they reflect actual organizational risk, support decision-making, and communicate security value in terms leadership understands. Including key business systems (A) is useful but is a subset of business alignment. Senior management approval (B) is a governance step, not a quality criterion. Industry standards (C) provide benchmarks but may not reflect the organization's specific priorities. Metrics that do not connect to business objectives may be technically accurate but strategically irrelevant - they will not drive the right decisions or maintain leadership support.

Topics

#Information Security Metrics#Business Alignment#Security Governance#Performance Measurement

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions