nerdexam
(ISC)2

CISSP · Question #1422

Which of the following is established to collect information Se eee ee ee nation readily available in part through implemented security controls?

The correct answer is C. Information Security Continuous Monitoring (ISCM). Information Security Continuous Monitoring (ISCM) is a program established to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions, leveraging data made available through implemented security controls

Submitted by parkjh· Mar 5, 2026Security Operations

Question

Which of the following is established to collect information Se eee ee ee nation readily available in part through implemented security controls?

Options

  • ASecurity Assessment Report (SAR)
  • BOrganizational risk tolerance
  • CInformation Security Continuous Monitoring (ISCM)
  • DRisk assessment report

How the community answered

(32 responses)
  • A
    3% (1)
  • C
    94% (30)
  • D
    3% (1)

Why each option

Information Security Continuous Monitoring (ISCM) is a program established to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions, leveraging data made available through implemented security controls.

ASecurity Assessment Report (SAR)

A Security Assessment Report (SAR) is a point-in-time document produced after a formal security assessment, not an ongoing program established to continuously collect security information from implemented controls.

BOrganizational risk tolerance

Organizational risk tolerance is a defined threshold or policy position indicating how much risk an organization is willing to accept, not a collection mechanism or monitoring program.

CInformation Security Continuous Monitoring (ISCM)Correct

ISCM is specifically defined as a program that collects security-related information on an ongoing basis, with much of that information made readily available through already-implemented security controls and automated tools. Per NIST SP 800-137, ISCM provides situational awareness of the security posture of an organization by continuously gathering metrics, status, and alerts from security controls already in place, enabling timely risk management decisions.

DRisk assessment report

A risk assessment report documents the results of a risk assessment process at a specific point in time, rather than being an ongoing monitoring program that continuously gathers information from implemented security controls.

Concept tested: Information Security Continuous Monitoring (ISCM) program purpose

Source: https://csrc.nist.gov/publications/detail/sp/800-137/final

Topics

#continuous monitoring#ISCM#security controls

Community Discussion

No community discussion yet for this question.

Full CISSP Practice