Certified Information Security Manager (CISM) — Question 769

When an organization decides to accept a risk, it should mean the cost to mitigate:

Answer options

• A. exceeds budget allocation.
• B. is higher than the cost to transfer risk.
• C. is less than the residual risk.
• D. is greater than the residual risk.

Correct answer: D

Explanation

The correct answer is D because accepting a risk implies that the costs associated with mitigating it are higher than the potential impact of the risk that remains after mitigation. Options A, B, and C do not accurately reflect the rationale behind risk acceptance, as they focus on budget, transfer costs, or residual risk in ways that do not align with the principle of risk acceptance.