Certified Information Security Manager (CISM) — Question 529

Which of the following is the MOST important element in the evaluation of inherent security risks?

Answer options

• A. Impact to the organization
• B. Control effectiveness
• C. Residual risk
• D. Cost of countermeasures

Correct answer: A

Explanation

The impact to the organization is the most critical aspect because it determines how security risks affect business operations, reputation, and compliance. While control effectiveness, residual risk, and cost of countermeasures are important, they are secondary to understanding the potential impact that risks pose to the organization as a whole.