Certified Information Security Manager (CISM) — Question 401

An empowered security steering committee has decided to accept a critical risk. Which of the following is the information security manager's BEST course of action?

Answer options

• A. Notify the chief risk officer (CRO) and internal audit.
• B. Determine the impact to information security objectives.
• C. Remove the specific risk item from the risk register.
• D. Document the risk acceptance and justification.

Correct answer: D

Explanation

The best action for the information security manager is to document the risk acceptance and its justification, as this provides a clear record of the decision made by the committee. Notifying the CRO and internal audit, assessing the impact, or removing the risk from the register are not sufficient on their own and do not fulfill the need for formal documentation.