Certified Information Security Manager (CISM) — Question 725

An organization's marketing department wants to use an online collaboration service, which is not in compliance with the information security policy. A risk assessment is performed, and risk acceptance is being pursued. Approval of risk acceptance should be provided by:

Answer options

• A. business senior management.
• B. the compliance officer.
• C. the information security manager.
• D. the chief risk officer (CRO).

Correct answer: A

Explanation

The correct answer is A, as business senior management typically has the authority to approve risk acceptance decisions that may impact the organization's operations. Other roles, such as the compliance officer, information security manager, and chief risk officer, may provide input or guidance, but the final decision rests with senior management.