Certified Information Security Manager (CISM) — Question 1208

Senior management has just accepted the risk of noncompliance with a new regulation. What should the information security manager do NEXT?

Answer options

• A. Report the decision to the compliance officer.
• B. Reassess the organization's risk tolerance.
• C. Update details within the risk register.
• D. Assess the impact of the regulation.

Correct answer: C

Explanation

The correct action is to update the risk register to reflect the decision made by management regarding the acceptance of risk. This documentation is crucial for tracking compliance and risk management efforts. The other options, while important, do not directly address the immediate need to document the decision in the risk register.