Certified in Risk and Information Systems Control (CRISC) — Question 1218

Which of the following is MOST important to include in an IT risk management policy?

Answer options

• A. Risk treatment types
• B. Risk ownership requirements
• C. Risk assessment requirements
• D. Risk scoring methodology

Correct answer: B

Explanation

The correct answer is B because defining risk ownership ensures accountability and clear responsibility for managing risks. While the other options are also important, they do not establish who is responsible for managing those risks, which is essential for effective risk management.