Certified Information Security Manager (CISM) — Question 206

A business unit is not complying with a control implemented to mitigate risk because doing so impacts the ability to achieve business goals. When reporting the noncompliance to senior management, what would be the information security manager's BEST recommendation?

Answer options

• A. Accept the noncompliance.
• B. Conduct a control assessment.
• C. Implement compensating controls.
• D. Educate the noncompliant users.

Correct answer: C

Explanation

The best recommendation is to implement compensating controls, as this allows the business unit to continue functioning while still addressing the risks. Accepting the noncompliance (A) does not mitigate the risks, conducting a control assessment (B) may not provide immediate relief, and educating users (D) does not directly resolve the issue at hand.