Certified Information Security Manager (CISM) — Question 124

To inform a risk treatment decision, which of the following should the information security manager compare with the organization's risk appetite?

Answer options

• A. Gap analysis results
• B. Level of risk treatment
• C. Configuration parameters
• D. Level of residual risk

Correct answer: D

Explanation

The correct answer is D, as the level of residual risk directly reflects the risk that remains after treatment measures have been applied, making it essential for comparison against the organization's risk appetite. Options A, B, and C do not provide a direct assessment of remaining risk after treatment, thus are not relevant for this specific comparison.