Isaca Updated CISM Exam Questions and Answers by arisha

The most appropriate information to communicate to senior management regarding information risk is the risk profile changes, which reflect the current level and nature of the risks that the organization faces. The risk profile changes can help senior management to understand the impact of the risks on the business objectives, the effectiveness of the risk management strategy, and the need for any adjustments or improvements. The risk profile changes can also help senior management to prioritize the allocation of resources and to make informed decisions.

References = CISM Review Manual, 16th Edition eBook1, Chapter 2: Information Risk Management, Section: Risk Communication, Subsection: Risk Reporting, Page 97.

Performing a gap analysis is the first step to ensure the security policy framework encompasses the new business model because it is a process of comparing the current state of security policies and controls with the desired or required state. A gap analysis helps to identify the strengths and weaknesses of the existing security policy framework, as well as the opportunities and threats posed by the new business model. A gap analysis also helps to prioritize the actions and resources needed to close the gaps and align the security policy framework with the new business objectives and requirements. Therefore, performing a gap analysis is the correct answer.

References:

https://secureframe.com/blog/security-frameworks

https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one

Key risk indicators (KRIs) are the most useful to include in an information security status report for management because they measure and report the level of risk exposure or performance against predefined risk thresholds or targets, and alert management of any deviations or issues that may require attention or action. List of recent security events is not very useful to include in an information security status report for management because it does not provide any analysis or evaluation of the events or their impact on the organization’s objectives or performance. Review of information security policies is not very useful to include in an information security status report for management because it does not reflect any progress or results of implementing or enforcing the policies. Information security budget requests are not very useful to include in an information security status report for management because they do not indicate any value or benefit of investing in information security initiatives or controls. References: https://www.isaca.org/resources/isaca-journal/iss ues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security-using-iso-27004