Certified Information Security Manager (CISM) — Question 147

Which of the following is MOST important for an information security manager to communicate to stakeholders when approving exceptions to the information security policy?

Answer options

• A. Impact on the risk profile
• B. Need for compensating controls
• C. Time period for review
• D. Requirements for senior management reporting

Correct answer: A

Explanation

The most critical aspect to communicate is the 'Impact on the risk profile' as it directly affects the organization's overall risk management strategy. While the need for compensating controls, the time for review, and reporting requirements are important, they are secondary to understanding how the exception alters the organization's risk landscape.