Certified Information Security Manager (CISM) — Question 1201

Which of the following is the MOST important consideration for reporting risk assessment results to senior management?

Answer options

• A. The reports should include comparisons to industry benchmarks.
• B. The reports should be presented in business terms.
• C. The reports should use formal methodologies.
• D. The reports should include recommended controls.

Correct answer: B

Explanation

Presenting reports in business terms is crucial because it ensures that senior management, who may not have technical backgrounds, understands the implications of the risks. While comparisons to industry benchmarks, formal methodologies, and recommended controls are useful, they are secondary to effectively communicating the risk in a way that resonates with business objectives.