Certified Information Security Manager (CISM) — Question 1044

A significant risk was identified within a core business function. Budget constraints do not allow for effective remediation. Who should be accountable for selecting the appropriate risk treatment?

Answer options

• A. Data custodian
• B. Data owner
• C. Security officer
• D. Senior management

Correct answer: D

Explanation

Senior management holds the ultimate accountability for risk management decisions, especially when budget constraints are an issue. While the data owner and data custodian have roles in data governance, they typically do not have the authority to allocate resources for risk treatment. The security officer may provide guidance, but it is senior management who must make the final decision.