Certified Chief Information Security Officer (CCISO) — Question 180

Acceptable levels of information security risk tolerance in an organization should be determined by?

Answer options

• A. Corporate compliance committee
• B. CEO and board of director
• C. CISO with reference to the company goals
• D. Corporate legal counsel

Correct answer: B

Explanation

The CEO and board of directors are ultimately responsible for the organization's strategic direction and risk management policies, including risk tolerance. While the CISO and other committees may provide input, the final decision rests with the leadership team. Corporate legal counsel plays a role in compliance but does not determine risk tolerance.