Exam CISM topic 1 question 32 discussion

Remember that B is basically the gap analysis needed

The best way for an organization to determine the maturity level of its information security program is to use a recognized information security maturity model. These models provide a structured framework to assess and benchmark the current state of an organization's security practices and identify areas for improvement.

C. Benchmark the information security policy against industry standards. Supporting Citations: The CISM CRM, 16th Edition, Chapter 3 explains that maturity models, such as the Capability Maturity Model (CMM), are widely used to assess the maturity level of governance processes and security programs. These models highlight areas for improvement and facilitate alignment with industry best practices​ models assist in defining objectives for the information security program and developing strategies to meet those objectives

Choosing B since maturity is all about the process of security review and control

It’s c. What if they only have 2 controls that work really well, but miss the other 300? One of the ways to assess an organisations maturity is to assess the security policy. C does just that.

I think it is B.

I hesitated between B and C and decided to pick B, because: Policies happen on paper, the actual doing and assessment of the situation at hand can only be done by assessing the state of security controls. Therefore B.

I see the discussion here, and validate against AI, which chooses B. However, I think this is more of a textbook question, the word "maturity" is what I keep hearing candidates that have CISM or CISSP certs use in their interview answers. I think COMPTIA is looking to see that we take Frameworks and standrads into account, after all, this is more of a management cert. I'm going with C thinking this is more of a "BIG WORD" that needs to be used, even though in real life, you wanna test your controls work as in in B

we also have to take in consideration it says "Best" and what maturity means in the context of a security program. It means how well is this program developed and how well it is at handling different situations. The "best" way to test that would be to validate the controls rather than comparing the controls to best practice.

The correct answer is B. We assess maturity of the program through metrics associated to the implemented controls. Training and awareness results are only part of the metrics. There are others like IT team performance, vulnerability remediation performance, etc.

C. CISM book from mike chappel. maturity models asses an org. against industry best practices.

Benchmark the information security policy against industry standards: Benchmarking the policy against industry standards ensures that it aligns with recognized security practices. However, it doesn't guarantee that the policy is actually being implemented and enforced effectively.

Benchmarking the information security policy against industry standards is a comprehensive approach that allows organizations to assess the maturity of their information security program in comparison to established best practices and industry benchmarks. This involves evaluating the organization's policies, processes, and controls against recognized standards such as ISO/IEC 27001, NIST Cybersecurity Framework, or other relevant frameworks. While options like reviewing the results of information security awareness testing (option A), validating the effectiveness of implemented security controls (option B), and tracking the trending of information security incidents (option D) are important activities, benchmarking against industry standards provides a broader and more systematic evaluation of the overall maturity of the information security program.

I will say it is C. You will have to Benchmark against something to know where or how far (mature) your program is at

C is not correct because it says benchmarking the security "policy", this is not at all comprehensive. If it said security "program". The best answer provided for the question is not always the best way.

Its C. The word "Maturity" is why its C and not B. Maturity is not arbitrarily defined against your own program, its defined by the industry such as CMMC L1, 3 or 5. Initial, repeatable, defined, managed, Optimized. The industry dictates your maturity level, not the effectiveness of controls. For example, having a heroic team that ad-hoc responds to incidents may be incredibly effective but if they dont have clear policies and procedures their effectives does not translate into a mature process.

B. Validate the effectiveness of implemented security controls.