Exam CISM topic 1 question 973 discussion

D. The information security steering committee is composed of business leaders. This is because the information security steering committee is responsible for overseeing the organization's information security program and by having business leaders on the steering committee, it ensures that information security is aligned with the organization's business goals.

The BEST indicator that information security governance and corporate governance are integrated is when the board is regularly informed of information security key performance indicators (KPIs) (Option C). This demonstrates that information security is being monitored and managed at the highest level of the organization, ensuring alignment with overall business objectives and strategic priorities (CoPilot)

Most CISM questions have a key word, this question is integrate. When it comes to The board and KPIs the key word in that answer for me would be support. When it comes to steering committee I think of integration.

C. The board is regularly informed of information security key performance indicators (KPIs). When the board is regularly informed about information security key performance indicators, it demonstrates a strong integration of information security governance with corporate governance. This means that information security is considered a critical aspect of overall business strategy and decision-making. Regular reporting to the board helps align information security efforts with business objectives and ensures that security is viewed as an integral part of the organization's governance structure. While the other options (A, B, and D) are important considerations for effective information security governance, regular reporting to the board about key performance indicators directly involves top-level decision-makers and signifies a high level of integration between information security and corporate governance.

D is wrong. Even is business owners are in security committee, it should also include other cross functional teams. Answer is C

D is wrong. Even is business owners are in security committee, it should also include other cross functional teams. Answer is C

D. The information security steering committee is composed of business leaders. C. is wrong because the Board of Directors of an organization don't usually focus on Metrics like KPIs. These are the focus of Management. The Board usually focused on very High-level business objectives. So regularly updating them with KPI's would be some how inappropriate. As such, answer option D makes the most sense.

This option indicates that information security governance and corporate governance are integrated because it demonstrates that the board is taking an active role in overseeing the organization's information security program. By regularly reviewing information security KPIs, the board can ensure that the program is aligned with the organization's overall goals and objectives and that it is effectively managing risk. having members on the steering committee does not gurantee integration - but KPIs would

D. The information security steering committee is composed of business leaders.

This shows that information security decisions and strategies are being made in collaboration with key stakeholders from the business side, which aligns information security efforts with the broader corporate governance framework.

So what is the correct answer

Look at it this way. Should the company have a Corporate governance committee, it would be reporting/aligning to the board, not the security steerco. Board is accountable for governance, not security steerco.

I would go with D as in my opinion this refers to the integration the most.