Certified Information Systems Auditor (CISA) — Question 1095

According to the three lines of defense model for risk management, the second line of defense includes functions that:

Answer options

• A. own risks.
• B. oversee risks.
• C. define risk appetite.
• D. provide independent assurance.

Correct answer: B

Explanation

The second line of defense is responsible for overseeing risks, ensuring that risk management policies are implemented effectively. While the first line owns the risks and the third line provides independent assurance, the second line focuses on monitoring and supporting the risk management process.