Exam CISM topic 1 question 517 discussion

B it is boys!

B. Making decisions on security priorities

D. Evaluating information security metrics is indeed a task that the steering committee might engage in to gauge the effectiveness of the security program, but the core facilitation occurs through setting priorities and directing the strategic focus of the program.

Infosec manager evaluates the metrics and presents them to the steering committee, who then (based on that) decides on direction and priorities.

B. Making decisions on security priorities An organization's information security steering committee facilitates the achievement of information security program objectives primarily by making decisions on security priorities. The steering committee typically consists of key stakeholders from various departments within the organization, including IT, legal, compliance, and business units. Its role is to provide strategic guidance and oversight for the organization's information security efforts. By making decisions on security priorities, the committee helps ensure that the information security program aligns with the organization's overall goals and objectives. This includes determining where resources should be allocated, which security initiatives should take precedence, and how to address emerging threats and vulnerabilities. Their decisions can have a significant impact on the direction and effectiveness of the information security program.

I would say it uses D (metrics) in order to achieve B. B is actually the helpful part so I'd go with that.

Steering committees are all about steering to the right directions when needed. Therefore answer is clearly B

B. Making decisions on security priorities

Measurement can help to make decisions which all help to achieve. Hence Metrics is my choice.

D. Evaluating information security metrics by evaluating the metrics, they can check the status, make decisions on policies among other things to make sure the org can achieve the objectives.

An information security steering committee can facilitate the achievement of information security program objectives by making decisions on security priorities. The committee is responsible for setting the direction and vision of the organization's information security program and establishing priorities based on risk assessments and business needs. They can allocate resources and make decisions on what security measures should be implemented, such as technology, policies, and procedures, to achieve the security objectives. The committee may also review and evaluate the effectiveness of the security measures implemented and make necessary adjustments to ensure that the organization's information security program remains effective.

to evaluate achievement is needed the metrics.

Agreed on B

Why not B?