New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

APMG-International ISO-IEC-27001-Foundation Exam - Topic 2 Question 4 Discussion

Actual exam question for APMG-International's ISO-IEC-27001-Foundation exam
Question #: 4
Topic #: 2
[All ISO-IEC-27001-Foundation Questions]

Which action is a required response to an identified residual risk?

Show Suggested Answer Hide Answer
Suggested Answer: C

Clause 6.1.3 (e) specifies:

''The organization shall obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks.''

This confirms that residual risks --- those remaining after risk treatment --- must be reviewed and formally accepted by the designated risk owner. Option A is incorrect; awareness training is not a default control for all residual risks. Option B misrepresents leadership responsibility; top management ensures processes exist, but risk owners formally approve residual risk. Option D (avoiding risk) is a treatment option, not the mandated requirement for residual risks.

Thus, the required response is C: Review and acceptance by the risk owner.


by Felicidad at Oct 07, 2025, 01:28 AM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27001-Foundation Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Chaya
8 days ago
True, but sometimes risks can't be avoided entirely.
upvoted 0 times
...
Delbert
13 days ago
But what about option D? Changing practices seems proactive.
upvoted 0 times
...
Craig
18 days ago
I agree with Alice. Acceptance is crucial.
upvoted 0 times
...
Celeste
23 days ago
D sounds good, but changing practices isn't always feasible.
upvoted 0 times
...
Talia
29 days ago
A is important too, but C feels more direct.
upvoted 0 times
...
Florinda
1 month ago
Wait, can we really just accept risks? Seems risky!
upvoted 0 times
...
Dustin
1 month ago
Totally agree with C! Acceptance is key.
upvoted 0 times
...
Loreen
1 month ago
I think C is the right answer. Risk owners need to review it.
upvoted 0 times
...
Audrie
2 months ago
I recall something about awareness training being a response, but I can't remember if it's the default action for residual risks.
upvoted 0 times
...
Candida
2 months ago
I practiced a question like this where we discussed avoiding risks, but I'm not confident that changing practices is always required.
upvoted 0 times
...
Lizbeth
2 months ago
I'm not entirely sure, but I feel like management delegating to risk owners sounds familiar. Could it be option B?
upvoted 0 times
...
Valentine
2 months ago
I think I remember that residual risks need to be reviewed, so maybe option C is the right one?
upvoted 0 times
...
Chantay
2 months ago
Why do you say that, Alice?
upvoted 0 times
...
Johnetta
3 months ago
I think option C is the best choice.
upvoted 0 times
...
Johnetta
3 months ago
Because the risk owner needs to assess if they can accept the risk.
upvoted 0 times
...
Tyisha
3 months ago
Residual risk? More like "residual stress" after taking this exam!
upvoted 0 times
...
Nadine
3 months ago
Haha, I'm just going to choose the one that sounds the most like corporate jargon. That's gotta be the right answer!
upvoted 0 times
...
Lashaunda
4 months ago
B) Top management shall delegate its treatment to risk owners. This is the correct answer.
upvoted 0 times
...
Trinidad
4 months ago
D) The organization shall change practices to avoid the risk occurring.
upvoted 0 times
...
Matt
4 months ago
C) It shall be reviewed by the risk owner to consider acceptance.
upvoted 0 times
...
Laila
4 months ago
Okay, I think I've got this. The key is that the question is asking about a "required" response, so that rules out things like awareness training or delegating to risk owners. The correct answer has to be an action the organization is required to take, which makes C the best choice in my opinion.
upvoted 0 times
...
Levi
4 months ago
Definitely not A. That's just about security awareness, not a required response to residual risk. B and C both sound plausible, but I'm leaning more towards C since it specifically mentions the risk owner reviewing the risk.
upvoted 0 times
...
Mozelle
5 months ago
Hmm, I'm a bit confused. I was thinking the answer might be D, since changing practices to avoid the risk seems like a common way to address residual risks. But I'm not totally sure.
upvoted 0 times
...
Hyun
5 months ago
I think the answer is C. The question is asking about a required response to a residual risk, and accepting the risk after review by the risk owner seems like the appropriate action.
upvoted 0 times
Felicitas
3 months ago
I agree with you, C makes the most sense.
upvoted 0 times
...
...

Save Cancel