Certified Information Security Manager (CISM) — Question 647

In an organization with a rapidly changing environment, business management has accepted an information security risk. It is MOST important for the information security manager to ensure:

Answer options

• A. change activities are documented.
• B. compliance with the risk acceptance framework.
• C. the rationale for acceptance is periodically reviewed.
• D. the acceptance is aligned with business strategy.

Correct answer: C

Explanation

The correct answer, C, emphasizes the need for ongoing evaluation of the reasoning behind the risk acceptance to ensure it remains valid over time. Options A and B focus on documentation and compliance, which are important but secondary to the need for regular review. Option D is about alignment with business strategy, which is also crucial but does not address the necessity of revisiting the reasons for accepting the risk.