Certified Information Security Manager (CISM) — Question 654

Who is accountable for ensuring risk mitigation is effective?

Answer options

• A. Application owner
• B. Business owner
• C. Risk owner
• D. Control owner

Correct answer: C

Explanation

The Risk owner is responsible for overseeing the effectiveness of risk mitigation strategies. The Application owner and Business owner may have roles in the overall risk management process, but they do not specifically focus on risk mitigation. The Control owner manages specific controls but does not have the overarching accountability that the Risk owner has.