Exam CISM topic 1 question 32 discussion

Remember that B is basically the gap analysis needed

In my experience with many cyber security maturity assessments, using CMMI, effective implementation of security controls aligned to internationally accepted security frameworks or standards such as NIST, ISO/IEC, or CIS helps determine the current and target state of an organization’s maturity. Typically, best practices/industry standards from these type of maturity assessments are written into the organization’s information security policy either at inception or through revision based on the outcome of the maturity assessment. In turn, it is normally reflected in the organization’s information security policy whether through revisions or not. Even if you assume an organization’s information security policy does not define and include industry standards, which many do not. Benchmarking the information security policy against industry standards will inform you of the level of maturity.

C is clearly WRONG. If you do no more than benchmarking your policy to an industry standard, it could mean that you have a nice defined policy. But it tells you nothing about the state of controls. Hence it would be nothing more than a paper tiger.

The answer is B, benchmarking with other companies does not reflect the risk and maturity of the current company since each company has its totally different risks. Therefore, validation of the controls will validate the effectiveness

The best way for an organization to determine the maturity level of its information security program is to use a recognized information security maturity model. These models provide a structured framework to assess and benchmark the current state of an organization's security practices and identify areas for improvement.

C. Benchmark the information security policy against industry standards. Supporting Citations: The CISM CRM, 16th Edition, Chapter 3 explains that maturity models, such as the Capability Maturity Model (CMM), are widely used to assess the maturity level of governance processes and security programs. These models highlight areas for improvement and facilitate alignment with industry best practices​ models assist in defining objectives for the information security program and developing strategies to meet those objectives

Choosing B since maturity is all about the process of security review and control

It’s c. What if they only have 2 controls that work really well, but miss the other 300? One of the ways to assess an organisations maturity is to assess the security policy. C does just that.

I think it is B.

I hesitated between B and C and decided to pick B, because: Policies happen on paper, the actual doing and assessment of the situation at hand can only be done by assessing the state of security controls. Therefore B.

I see the discussion here, and validate against AI, which chooses B. However, I think this is more of a textbook question, the word "maturity" is what I keep hearing candidates that have CISM or CISSP certs use in their interview answers. I think COMPTIA is looking to see that we take Frameworks and standrads into account, after all, this is more of a management cert. I'm going with C thinking this is more of a "BIG WORD" that needs to be used, even though in real life, you wanna test your controls work as in in B

we also have to take in consideration it says "Best" and what maturity means in the context of a security program. It means how well is this program developed and how well it is at handling different situations. The "best" way to test that would be to validate the controls rather than comparing the controls to best practice.

The correct answer is B. We assess maturity of the program through metrics associated to the implemented controls. Training and awareness results are only part of the metrics. There are others like IT team performance, vulnerability remediation performance, etc.

C. CISM book from mike chappel. maturity models asses an org. against industry best practices.

Benchmark the information security policy against industry standards: Benchmarking the policy against industry standards ensures that it aligns with recognized security practices. However, it doesn't guarantee that the policy is actually being implemented and enforced effectively.

Benchmarking the information security policy against industry standards is a comprehensive approach that allows organizations to assess the maturity of their information security program in comparison to established best practices and industry benchmarks. This involves evaluating the organization's policies, processes, and controls against recognized standards such as ISO/IEC 27001, NIST Cybersecurity Framework, or other relevant frameworks. While options like reviewing the results of information security awareness testing (option A), validating the effectiveness of implemented security controls (option B), and tracking the trending of information security incidents (option D) are important activities, benchmarking against industry standards provides a broader and more systematic evaluation of the overall maturity of the information security program.

I will say it is C. You will have to Benchmark against something to know where or how far (mature) your program is at