Isaca Exam CISM Topic 3 Question 61 Discussion

Actual exam question for Isaca's CISM exam

Question #: 61
Topic #: 3

[All CISM Questions]

Which of the following BEST facilitates an information security manager's efforts to obtain senior management commitment for an information security program?

APresenting evidence of inherent risk

BReporting the security maturity level

CPresenting compliance requirements

DCommunicating the residual risk

Show Suggested Answer

Suggested Answer: A

When preventive controls to appropriately mitigate risk are not feasible, the most important action for the information security manager is to manage the impact, which means taking measures to reduce the likelihood or severity of the consequences of the risk. Managing the impact can involve using alternative controls, such as engineering, administrative, or personal protective controls, that can lower the exposure or harm to the organization. The other options, such as identifying unacceptable risk levels, assessing vulnerabilities, or evaluating potential threats, are part of the risk assessment process, but they are not actions to mitigate risk when preventive controls are not feasible. Reference:

https://bcmmetrics.com/risk-mitigation-evaluating-your-controls/

https://www.osha.gov/safety-management/hazard-prevention

https://www.cdc.gov/niosh/topics/hierarchy/default.html

by Glen at Aug 04, 2023, 02:35 PM

Limited Time Offer

25%

Off

Get Premium CISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Jacqueline

Reporting the security maturity level is a bit too technical for this purpose. Senior management is more interested in the botJacqueline line impact.

upvoted 0 times

...

Gene

5 days ago

Presenting evidence of inherent risk seems like the logical choice here. Senior management needs to understand the true threat landscape to take security seriously.

upvoted 0 times

...