Certified Information Security Manager (CISM) — Question 376

When integrating security risk management into an organization it is MOST important to ensure:

Answer options

• A. the risk management methodology follows an established framework.
• B. business units approve the risk management methodology.
• C. the risk treatment process is defined.
• D. information security policies are documented and understood.

Correct answer: B

Explanation

The correct answer is B because obtaining approval from business units ensures that the risk management methodology is aligned with organizational goals and practices. Options A, C, and D, while important, do not emphasize the necessity of business unit approval, which is critical for effective implementation and buy-in.