Certified Information Security Manager (CISM) — Question 1025

To effectively manage an organization’s information security risk, it is MOST important to:

Answer options

• A. establish and communicate risk tolerance.
• B. benchmark risk scenarios against peer organizations.
• C. assign risk management responsibility to an experienced consultant.
• D. periodically identify and correct new systems vulnerabilities.

Correct answer: A

Explanation

The correct answer is A, as establishing and communicating risk tolerance is essential for guiding the organization's decisions and actions regarding security measures. Options B and C, while valuable, rely on external benchmarks and expertise rather than foundational risk principles. Option D focuses on vulnerability management, which is important but comes after understanding risk tolerance.