Certified Information Security Manager (CISM) — Question 619

Which of the following MUST be performed once risk has been accepted?

Answer options

• A. Reassess the risk on a regular basis.
• B. Calculate the business impact of acceptance.
• C. Flag the risk to avoid future reassessment.
• D. Remove the risk from the risk register.

Correct answer: A

Explanation

The correct answer is A because ongoing reassessment ensures that the risk remains manageable and relevant as conditions change. Options B and C are not mandatory actions following risk acceptance, and option D is incorrect as removing the risk from the register could lead to oversight of potential issues.