Certified Information Systems Auditor (CISA) — Question 90

Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?

Answer options

• A. Average the business units' IT risk levels.
• B. Identify the highest-rated IT risk level among the business units.
• C. Establish a global IT risk scoring criteria.
• D. Prioritize the organization's IT risk scenarios.

Correct answer: C

Explanation

The correct answer, C, is appropriate because establishing a global IT risk scoring criteria provides a standardized method for assessing IT risk across all business units. This ensures consistency in evaluation, unlike averaging or identifying the highest risk, which may not represent the overall risk appetite accurately. Prioritizing risk scenarios does not directly address the assessment of risk appetite itself.