Certified Information Security Manager (CISM) — Question 300

An organization has identified a risk scenario that has low impact to the organization but is very costly to mitigate. Which risk treatment option is MOST appropriate in this situation?

Answer options

• A. Transfer
• B. Acceptance
• C. Mitigation
• D. Avoidance

Correct answer: B

Explanation

The best choice in this scenario is Acceptance, as the organization recognizes that the low impact of the risk does not justify the high costs associated with mitigating it. The other options, such as Mitigation or Avoidance, would incur unnecessary expenses given the low risk level, while Transfer may not be suitable if the organization is willing to accept the risk instead.