Certified Chief Information Security Officer (CCISO) — Question 5

Risk appetite is typically determined by which of the following organizational functions?

Answer options

• A. Business units
• B. Board of Directors
• C. Audit and compliance
• D. Security

Correct answer: A

Explanation

The correct answer is A, as business units are directly involved in operational decision-making and are best positioned to assess their risk appetite. While the Board of Directors provides oversight, they do not typically set the risk appetite directly. Audit and compliance focus on regulatory adherence, and security is primarily concerned with protecting assets rather than defining risk appetite.