Certified Information Security Manager (CISM) — Question 437

Which of the following is the BEST way to help ensure an organization's risk appetite will be considered as part of the risk treatment process?

Answer options

• A. Establish key risk indicators (KRIs).
• B. Provide regular reporting on risk treatment to senior management.
• C. Require steering committee approval of risk treatment plans.
• D. Use quantitative risk assessment methods.

Correct answer: C

Explanation

The correct answer is C because requiring steering committee approval ensures that the organization's risk appetite is formally integrated into the decision-making for risk treatment. Options A and D focus on measuring and assessing risks rather than ensuring alignment with risk appetite, while option B, although useful, does not guarantee that the risk appetite is actively considered in the treatment process.