Certified Information Security Manager (CISM) — Question 1111

Exceptions to a security policy should be approved based PRIMARILY on:

Answer options

• A. results of a cost-benefit analysis.
• B. risk appetite.
• C. security incident classification.
• D. industry best practices.

Correct answer: B

Explanation

The correct answer is B, as risk appetite is the primary factor that determines how much risk an organization is willing to accept when considering exceptions. While cost-benefit analysis, security incident classification, and industry best practices are important, they typically serve as secondary considerations rather than the main basis for approval.