Certified Information Security Manager (CISM) — Question 1202

An information security manager has completed a risk assessment and has determined the residual risk. Which of the following should be the NEXT step?

Answer options

• A. Implement countermeasures to mitigate risk.
• B. Classify all identified risks.
• C. Conduct an evaluation of controls.
• D. Determine if the risk is within the risk appetite.

Correct answer: D

Explanation

The correct answer is D because after identifying residual risk, the next logical step is to evaluate whether that risk is acceptable according to the organization's risk appetite. Options A, B, and C are important actions, but they should come after understanding if the remaining risk is tolerable.