Certified Information Security Manager (CISM) — Question 351

Which of the following MUST be defined in order for an information security manager to evaluate the appropriateness of controls currently in place?

Answer options

• A. Security policy
• B. Risk management framework
• C. Security standards
• D. Risk appetite

Correct answer: D

Explanation

The correct answer is D, as understanding the organization's risk appetite is essential for evaluating whether the existing controls align with the acceptable level of risk. Options A, B, and C, while important for overall security governance, do not directly address the threshold of risk the organization is willing to accept, which is crucial for control evaluation.