Certified Information Systems Auditor (CISA) — Question 898

When evaluating an information security risk assessment, what is MOST important to review to gain an understanding of how risk is reduced?

Answer options

• A. Inherent risk
• B. Residual risk
• C. Mitigation efforts
• D. Control effectiveness

Correct answer: C

Explanation

The most critical aspect to examine is the mitigation efforts, as they directly address how risks are managed and lowered. Inherent risk represents the existing level of risk without controls, residual risk refers to the remaining risk after controls are applied, and control effectiveness evaluates how well the measures are performing, but none of these provide a complete understanding of the strategies employed to reduce risk.