Certified Information Security Manager (CISM) — Question 16

If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:

Answer options

• A. transfer risk to a third party to avoid cost of impact.
• B. recommend that management avoid the business activity.
• C. assess the gap between current and acceptable level of risk.
• D. implement controls to mitigate the risk to an acceptable level.

Correct answer: C

Explanation

The correct answer is C because assessing the gap between current and acceptable levels of risk is essential to understand how to proceed. Options A and B may be considered later, but first, understanding the risk gap is crucial. Option D implies that controls are already in place, but without assessing the current situation, implementing controls may not address the actual risk effectively.