Certified Information Security Manager (CISM) — Question 699

Which of the following is MOST important to include in a report of an organization's information security risk?

Answer options

• A. Control risk
• B. Mitigated risk
• C. Residual risk
• D. Inherent risk

Correct answer: C

Explanation

Residual risk is the amount of risk that remains after controls have been applied, making it vital for understanding the effectiveness of the security measures in place. Control risk and mitigated risk do not accurately reflect the remaining exposure after safeguards, while inherent risk pertains to risk before any controls are applied, which is less relevant for current reporting.