Certified Information Security Manager (CISM) — Question 952

Management would like to understand the risk associated with engaging an Infrastructure-as-a-Service (IaaS) provider compared to hosting internally. Which of the following would provide the BEST method of comparing risk scenarios?

Answer options

• A. Reviewing mitigating and compensating controls for each risk scenario
• B. Mapping the risk scenarios by likelihood and impact on a chart
• C. Performing a risk assessment on the IaaS provider
• D. Mapping risk scenarios according to sensitivity of data

Correct answer: B

Explanation

Mapping the risk scenarios by likelihood and impact on a chart provides a visual representation that helps in comparing the severity and probability of various risks effectively. While reviewing controls and performing assessments are important, they do not offer the same level of comparative clarity as a chart does. Organizing by data sensitivity is relevant but does not directly compare risk scenarios effectively.