Exam CISM topic 1 question 50 discussion

A KPIs are tailored, performance-oriented metrics that are well-suited to convey the status of information security compliance to senior management in a clear and actionable manner.

Key performance indicators (KPIs) are measurable metrics that provide a clear and concise way to communicate the status of information security compliance to senior management. KPIs can include metrics related to policy adherence, incident response effectiveness, vulnerability management, and other aspects of the organization's information security program. Using KPIs allows senior management to quickly grasp the current state of compliance and make informed decisions based on measurable data. While risk assessment results (option B), industry benchmarks (option C), and business impact analysis (BIA) results (option D) are valuable for various aspects of information security management, KPIs are specifically designed to provide a snapshot of the performance and compliance status, making them a more focused and direct communication tool for senior management.

A KPIs are tailored, performance-oriented metrics that are well-suited to convey the status of information security compliance to senior management in a clear and actionable manner.

Answer is A . To understand better read the article here - https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/how-to-involve-senior-management-in-the-information-security-governance-process

A. Key performance indicators (KPIs)

https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/how-to-involve-senior-management-in-the-information-security-governance-process

Clearly, the answer is B. Why? Risk assessments are broader (typically) then just one or a few controls. KPI"s are very specific in what they measure...so B is NOT a good answer. C. No. An industry benchmark is not specific enough to your business/company. D. Just, No. Why? Doesn't make sense.

A, then B

A. Key performance indicators (KPIs) would be MOST useful to help senior management understand the status of information security compliance. KPIs are metrics that are used to measure the performance of specific aspects of an organization's security program, such as the effectiveness of security controls, incident response times, and compliance with regulations and standards. These metrics can be presented in an easy-to-understand format, making it easier for senior management to understand the status of the organization's compliance efforts. Risk assessment results, industry benchmarks, and Business Impact Analysis (BIA) results can also provide important information but presenting it in a KPI format can make it easily understandable for senior management.

Results or success factors are derived based on results or KPI's.

I think B