Certified Information Security Manager (CISM) — Question 1132

Which of the following is the MOST important objective when recommending controls?

Answer options

• A. Ensuring implementation costs are approved
• B. Identifying business processes the controls can support
• C. Reducing the risk to an acceptable level
• D. Minimizing the impact to business processes

Correct answer: C

Explanation

The correct answer is C because the main aim of implementing controls is to mitigate risks to a level that is considered acceptable for the organization. While the other options address important aspects of control implementation, they do not prioritize risk reduction, which is the fundamental purpose of such controls.