Free ISACA CISM Actual Exam Questions - Question 7 Discussion

B, because if users can spot and report issues, culture is actually working.

C seems about structure, but does that alone prove culture success?

B imo, cause knowing and reporting incidents shows real user engagement.

A/C? Regular pen testing shows ongoing commitment, but having roles aligned with job functions (C) ensures accountability, which is also crucial for a true security culture. Could argue both reflect success differently.

Maybe B, since actual user awareness beats just having resources or roles.

Option B feels right here since a successful security culture depends a lot on users spotting and reporting issues. But the explanation could dig deeper into why that’s key. Anyone got a better breakdown?