Certified Information Security Manager (CISM) — Question 167

What is the MOST important reason to regularly report information security risk to relevant stakeholders?

Answer options

• A. To enable risk-informed decision making
• B. To reduce the impact of information security risk
• C. To ensure information security controls are effective
• D. To achieve compliance with regulatory requirements

Correct answer: A

Explanation

The primary reason for regularly reporting information security risks is to facilitate risk-informed decision making, which allows stakeholders to take informed actions based on the current risk landscape. While reducing the impact of risks, ensuring effective controls, and achieving compliance are important, they are secondary to the critical need for informed decision-making.