Certified Information Security Manager (CISM) — Question 92

A risk was identified during a risk assessment. The business process owner has chosen to accept the risk because the cost of remediation is greater than the projected cost of a worst-case scenario. What should be the information security manager's NEXT course of action?

Answer options

• A. Document and schedule a date to revisit the issue.
• B. Document and escalate to senior management.
• C. Shut down the business application.
• D. Determine a lower-cost approach to remediation.

Correct answer: A

Explanation

The correct action is to document the acceptance of the risk and schedule a future date to review it, as this ensures ongoing awareness and accountability. Escalating to senior management (option B) is unnecessary unless there are significant concerns, shutting down the application (option C) is too drastic, and determining a lower-cost remediation (option D) contradicts the owner's decision to accept the risk.