Certified Information Security Manager (CISM) — Question 1024

Who should decide whether a specific control should be changed once risk is approved for mitigation?

Answer options

• A. Risk owner
• B. Data owner
• C. Control owner
• D. Process owner

Correct answer: A

Explanation

The risk owner is the individual accountable for the management of the risk and has the authority to make decisions regarding changes to controls. Other roles, such as the data owner, control owner, and process owner, may have their own responsibilities, but they do not have the final say on adjustments to the risk mitigation strategy.