Certified Information Security Manager (CISM) — Question 1075

When reporting information security risk to senior management, it is MOST important to include:

Answer options

• A. control risk.
• B. inherent risk.
• C. detection risk.
• D. residual risk.

Correct answer: D

Explanation

Residual risk is the risk that remains after controls have been implemented, making it essential for senior management to understand the remaining exposure. In contrast, control risk, inherent risk, and detection risk each address different aspects of risk management that may not reflect the final risk profile after mitigation efforts.