Certified Information Security Manager (CISM) — Question 389

When making decisions on prioritizing risk mitigation activities, which of the following would provide senior management with the MOST comprehensive information?

Answer options

• A. Risk assessment report
• B. Risk action plan
• C. Risk register
• D. Internal audit report

Correct answer: C

Explanation

The Risk register is a comprehensive document that contains detailed information about identified risks, their potential impact, and the status of mitigation efforts, making it the most valuable for decision-making. In contrast, the Risk assessment report focuses mainly on analyzing risks, the Risk action plan outlines specific measures to take, and the Internal audit report assesses compliance and controls rather than prioritizing risks.