Certified Information Security Manager (CISM) — Question 314

A risk owner has accepted a large amount of risk due to the high cost of controls. Which of the following should be the information security manager's PRIMARY focus in this situation?

Answer options

• A. Conducting an independent review of risk responses
• B. Establishing a strong ongoing risk monitoring process
• C. Presenting the risk profile for approval by the risk owner
• D. Updating the information security standards to include the accepted risk

Correct answer: B

Explanation

The correct answer is B, as establishing a strong ongoing risk monitoring process is crucial to ensure that any changes in risk levels are identified and managed promptly. Options A and C focus on reviews and approvals, which are secondary tasks. Option D suggests updating standards, which is less critical than continuous monitoring of the accepted risks.