Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

APMG-International ISO-IEC-27001-Foundation Exam - Topic 2 Question 4 Discussion

Which action is a required response to an identified residual risk?
C) It shall be reviewed by the risk owner to consider acceptance
A) By default, it shall be controlled by information security awareness and training
B) Top management shall delegate its treatment to risk owners
D) The organization shall change practices to avoid the risk occurring

APMG-International ISO-IEC-27001-Foundation Exam - Topic 2 Question 4 Discussion

Actual exam question for APMG-International's ISO-IEC-27001-Foundation exam
Question #: 4
Topic #: 2
[All ISO-IEC-27001-Foundation Questions]

Which action is a required response to an identified residual risk?

Show Suggested Answer Hide Answer
Suggested Answer: C

Clause 6.1.3 (e) specifies:

''The organization shall obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks.''

This confirms that residual risks --- those remaining after risk treatment --- must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, but risk owners formally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.

Thus, the required response is C: Review and acceptance by the risk owner.


by Felicidad at Oct 07, 2025, 01:28 AM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Foundation Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Chaya
2 months ago
I like that it puts responsibility on the risk owner.
upvoted 0 times
...
Craig
2 months ago
Yes, it covers the necessary evaluation.
upvoted 0 times
...
Delbert
2 months ago
So, we all think option C is strong?
upvoted 0 times
...
Chantay
2 months ago
Management should definitely be involved too.
upvoted 0 times
...
Johnetta
3 months ago
Exactly, that's why reviewing is key.
upvoted 0 times
...
Chaya
3 months ago
True, but sometimes risks can't be avoided entirely.
upvoted 0 times
...
Delbert
4 months ago
But what about option D? Changing practices seems proactive.
upvoted 0 times
...
Craig
4 months ago
I agree with Alice. Acceptance is crucial.
upvoted 0 times
...
Celeste
4 months ago
D sounds good, but changing practices isn't always feasible.
upvoted 0 times
...
Talia
4 months ago
A is important too, but C feels more direct.
upvoted 0 times
...
Florinda
4 months ago
Wait, can we really just accept risks? Seems risky!
upvoted 0 times
...
Dustin
4 months ago
Totally agree with C! Acceptance is key.
upvoted 0 times
...
Loreen
5 months ago
I think C is the right answer. Risk owners need to review it.
upvoted 0 times
...
Audrie
5 months ago
I recall something about awareness training being a response, but I can't remember if it's the default action for residual risks.
upvoted 0 times
...
Candida
5 months ago
I practiced a question like this where we discussed avoiding risks, but I'm not confident that changing practices is always required.
upvoted 0 times
...
Lizbeth
5 months ago
I'm not entirely sure, but I feel like management delegating to risk owners sounds familiar. Could it be option B?
upvoted 0 times
...
Valentine
5 months ago
I think I remember that residual risks need to be reviewed, so maybe option C is the right one?
upvoted 0 times
...
Chantay
5 months ago
Why do you say that, Alice?
upvoted 0 times
...
Johnetta
6 months ago
I think option C is the best choice.
upvoted 0 times
...
Johnetta
6 months ago
Because the risk owner needs to assess if they can accept the risk.
upvoted 0 times
...
Tyisha
6 months ago
Residual risk? More like "residual stress" after taking this exam!
upvoted 0 times
...
Nadine
7 months ago
Haha, I'm just going to choose the one that sounds the most like corporate jargon. That's gotta be the right answer!
upvoted 0 times
...
Lashaunda
7 months ago
B) Top management shall delegate its treatment to risk owners. This is the correct answer.
upvoted 0 times
...
Trinidad
7 months ago
D) The organization shall change practices to avoid the risk occurring.
upvoted 0 times
...
Matt
7 months ago
C) It shall be reviewed by the risk owner to consider acceptance.
upvoted 0 times
...
Laila
7 months ago
Okay, I think I've got this. The key is that the question is asking about a "required" response, so that rules out things like awareness training or delegating to risk owners. The correct answer has to be an action the organization is required to take, which makes C the best choice in my opinion.
upvoted 0 times
...
Levi
8 months ago
Definitely not A. That's just about security awareness, not a required response to residual risk. B and C both sound plausible, but I'm leaning more towards C since it specifically mentions the risk owner reviewing the risk.
upvoted 0 times
...
Mozelle
8 months ago
Hmm, I'm a bit confused. I was thinking the answer might be D, since changing practices to avoid the risk seems like a common way to address residual risks. But I'm not totally sure.
upvoted 0 times
...
Hyun
8 months ago
I think the answer is C. The question is asking about a required response to a residual risk, and accepting the risk after review by the risk owner seems like the appropriate action.
upvoted 0 times
Kallie
1 month ago
I still think B has its merits. Delegating is important.
upvoted 0 times
...
Maynard
2 months ago
D could work too, but it seems more proactive.
upvoted 0 times
...
Reid
2 months ago
C is definitely a valid choice, but what about D?
upvoted 0 times
...
Felicitas
6 months ago
I agree with you, C makes the most sense.
upvoted 0 times
...
...

Save Cancel