Certified Information Security Manager (CISM) — Question 220
Which of the following is the BEST course of action if the business activity residual risk is lower than the acceptable risk level?
Answer options
- A. Update the risk assessment framework.
- B. Monitor the effectiveness of controls.
- C. Review the risk probability and impact.
- D. Review the inherent risk level.
Correct answer: B
Explanation
The correct answer is B because if residual risk is lower than acceptable levels, it is essential to monitor the effectiveness of the existing controls to maintain that level of risk. Options A, C, and D involve reevaluating risks rather than focusing on the current effectiveness of controls, which is not necessary if the residual risk remains acceptable.