Certified Information Security Manager (CISM) — Question 727

An information security manager is reporting on open items from the risk register to senior management. Which of the following is MOST important to communicate with regard to these risks?

Answer options

• A. Key risk indicators (KRIs)
• B. Responsible entities
• C. Compensating controls
• D. Potential business impact

Correct answer: D

Explanation

Communicating the potential business impact of risks is crucial, as it helps senior management understand the implications of these risks on the organization's objectives and operations. While key risk indicators, responsible entities, and compensating controls are important, they do not provide the same level of insight into how risks could affect the business directly.