Free Preparation Discussions
MENU
Exin Exam CITM Topic 9 Question 2 Discussion
Topic #: 9
Controls to manage risk have been implemented and evaluated successfully. Risks are now at the level which the organization is willing to accept. What is the name of this risk?
In risk management, after controls are implemented to mitigate risks, the remaining risk that the organization is willing to accept is called residual risk (C). According to frameworks like ISO/IEC 27001 and COBIT, residual risk represents the level of risk that persists after applying controls, deemed acceptable based on the organization's risk appetite. For example, if a control reduces the likelihood or impact of a threat (e.g., data breach), the remaining exposure is the residual risk, which the organization monitors but does not further mitigate unless necessary.
Reduced risk (A): Not a standard term; implies a general decrease but lacks specificity.
Lowered risk (B): Similar to reduced risk, not a recognized term in risk management frameworks.
Modified risk (D): Implies risk alteration but is not a standard term for post-control risk levels.
Residual risk is a critical concept in risk management, ensuring organizations understand and accept the remaining exposure after mitigation efforts.
Currently there are no comments in this discussion, be the first to comment!