Certified Information Security Manager (CISM) — Question 525

Which of the following is the MAIN objective of a risk management program?

Answer options

• A. Reduce corporate liability for information security incidents.
• B. Reduce risk to the level of the organization's risk appetite
• C. Reduce risk to the maximum extent possible
• D. Reduce costs associated with incident response.

Correct answer: B

Explanation

The correct answer is B because a risk management program aims to align risk levels with the organization's defined risk appetite. Option A is incorrect as reducing liability is a secondary concern. Option C implies an unrealistic approach to risk elimination, which is not the program's objective. Option D focuses solely on cost reduction, which does not address the core aim of managing risk.