Certified Information Security Manager (CISM) — Question 973

An organization's information security team presented the risk register at a recent information security steering committee meeting. Which of the following should be of MOST concern to the committee?

Answer options

• A. No owners were identified for some risks.
• B. Business applications had the highest number of risks.
• C. Risk mitigation action plans had no timelines.
• D. Risk mitigation action plan milestones were delayed.

Correct answer: A

Explanation

The absence of identified owners for some risks is critical because it indicates a lack of accountability, which can lead to unmanaged risks. While having many risks in business applications and missing timelines or delayed milestones are concerning, these issues can be addressed with proper ownership and management. Without assigning owners, risks may not be properly monitored or mitigated.