Certified Information Security Manager (CISM) — Question 1022

What is the BEST way for an information security manager to improve the effectiveness of risk management in an organization that currently manages risk at the departmental level?

Answer options

• A. Deploy security risk management software in all departments.
• B. Determine whether the organization has defined its risk tolerance and risk appetite.
• C. Subscribe to external risk reports relevant to each department.
• D. Propose that security risk be integrated under a common risk register.

Correct answer: D

Explanation

The correct answer, D, emphasizes the importance of integrating security risks into a single risk register, allowing for a holistic view and better management across the organization. Option A is limited to software deployment without addressing the strategic integration of risk management. Option B, while important, does not directly improve risk management effectiveness. Option C may provide information but does not facilitate a unified risk approach.