Certified Information Security Manager (CISM) — Question 814

Which of the following is the PRIMARY reason for granting a security exception?

Answer options

• A. The risk is justified by the cost to security.
• B. The risk is justified by the benefit to security.
• C. The risk is justified by the benefit to the business.
• D. The risk is justified by the cost to the business.

Correct answer: C

Explanation

The primary reason for granting a security exception is that the risk is outweighed by the benefit it brings to the business, making option C the correct choice. Options A and B focus on security costs and benefits, which are secondary considerations, while option D discusses the cost to the business, which does not justify the exception in the same way as the benefits do.