Exam CISM topic 1 question 27 discussion

Effective information security governance requires a holistic approach that integrates policies, processes, and people. Among the options provided, a security-aware corporate culture is the most comprehensive enabler of effective governance because it ensures that security practices and principles are embedded throughout the organization.

Metrics only shows if the information security governance is effective or not BUT doesn't enable its effectiveness. A security-aware corporate culture on the other hand will enable or aid the effectiveness of the information security governance thereby resulting in good metrics.

Pages 64, General metric considerations: "Metrics serve only one purpose: to provide the information neceessary for making decisions"

A security-aware corporate culture is foundational to effective information security governance. It involves creating a mindset within the organization where employees at all levels understand the importance of security, follow security policies, and actively contribute to the protection of information assets. A strong security culture promotes accountability, awareness, and a collective commitment to information security. While advanced security technologies (option B), periodic vulnerability assessments (option C), and established information security metrics (option D) are essential components of a comprehensive security program, a security-aware corporate culture provides the organizational context and human factor necessary for successful information security governance.

A. Security-aware corporate culture

The question asks 'Enable" not measure i think A is correct here

metrics is the only objective measurement here..

A & D are good ones

culture enforces governance.

D - I think that establishing (and monitoring) security metrics is the best way to evaluate the effectiveness of security governance