Certified Information Security Manager (CISM) — Question 104

Which of the following would be of GREATEST assistance in determining whether to accept residual risk of a critical security system?

Answer options

• A. Maximum tolerable outage (MTO)
• B. Recovery time objective (RTO)
• C. Available annual budget
• D. Cost-benefit analysis of mitigating controls

Correct answer: D

Explanation

The cost-benefit analysis of mitigating controls is essential as it provides a structured assessment of the financial implications of risk mitigation versus the potential impact of the risk itself. The other options, while important for overall risk management, do not directly address the evaluation of residual risk in terms of financial practicality and effectiveness.