Certified Information Security Manager (CISM) — Question 844

After a risk has been identified, analyzed, and evaluated, which of the following should be done NEXT?

Answer options

• A. Monitor the risk.
• B. Prioritize the risk for treatment
• C. Identify the risk owner.
• D. Identify controls for risk mitigation.

Correct answer: B

Explanation

Prioritizing the risk for treatment is essential as it helps determine the order in which risks should be addressed based on their severity and potential impact. Monitoring the risk, identifying the risk owner, and identifying controls for risk mitigation are important steps, but they follow the prioritization of the risk to ensure effective management.