Certified Information Security Manager (CISM) — Question 242

The department head of application development has decided to accept the risks identified in a recent assessment. No recommendations will be implemented, even though the recommendations are required by regulatory oversight. What should the information security manager do NEXT?

Answer options

• A. Formally document the decision.
• B. Review the regulations.
• C. Review the risk monitoring plan.
• D. Perform a risk reassessment.

Correct answer: A

Explanation

The correct next step is to formally document the decision to accept the risks, as this creates a record of the choice made by the department head. While reviewing the regulations, monitoring plans, or reassessing risks are important, they do not address the immediate need to have a documented acknowledgment of the decision taken.