Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Isaca Exam CISM Topic 3 Question 61 Discussion

Actual exam question for Isaca's CISM exam
Question #: 61
Topic #: 3
[All CISM Questions]

Which of the following BEST facilitates an information security manager's efforts to obtain senior management commitment for an information security program?

Show Suggested Answer Hide Answer
Suggested Answer: A

When preventive controls to appropriately mitigate risk are not feasible, the most important action for the information security manager is to manage the impact, which means taking measures to reduce the likelihood or severity of the consequences of the risk. Managing the impact can involve using alternative controls, such as engineering, administrative, or personal protective controls, that can lower the exposure or harm to the organization. The other options, such as identifying unacceptable risk levels, assessing vulnerabilities, or evaluating potential threats, are part of the risk assessment process, but they are not actions to mitigate risk when preventive controls are not feasible. Reference:

https://bcmmetrics.com/risk-mitigation-evaluating-your-controls/

https://www.osha.gov/safety-management/hazard-prevention

https://www.cdc.gov/niosh/topics/hierarchy/default.html


Contribute your Thoughts:

Shaun
1 months ago
Ah yes, the good old 'compliance' card. Because nothing says 'security' quite like a stack of regulations.
upvoted 0 times
...
Carin
1 months ago
Inherent risk? More like 'inharent' risk, am I right? *wink wink*
upvoted 0 times
Ezekiel
5 days ago
A) Presenting evidence of inherent risk
upvoted 0 times
...
...
Alita
1 months ago
Communicating the residual risk is a great way to show how much exposure the organization still faces, even with existing controls. This could really get their attention.
upvoted 0 times
...
Carmelina
1 months ago
Compliance requirements are important, but they don't necessarily convey the urgency. We need to speak the language of risk and business impact.
upvoted 0 times
Maurine
18 days ago
A) Presenting evidence of inherent risk
upvoted 0 times
...
...
Jacqueline
2 months ago
Reporting the security maturity level is a bit too technical for this purpose. Senior management is more interested in the botJacqueline line impact.
upvoted 0 times
Polly
1 months ago
D) Communicating the residual risk
upvoted 0 times
...
Gwenn
1 months ago
A) Presenting evidence of inherent risk
upvoted 0 times
...
...
Gene
2 months ago
Presenting evidence of inherent risk seems like the logical choice here. Senior management needs to understand the true threat landscape to take security seriously.
upvoted 0 times
...
Paris
2 months ago
I believe communicating the residual risk is also important. It shows what risks still exist even after security measures are in place.
upvoted 0 times
...
Earleen
2 months ago
I agree with Diane. Showing the potential risks will help senior management understand the importance of the security program.
upvoted 0 times
...
Diane
2 months ago
I think presenting evidence of inherent risk is the best way to get senior management commitment.
upvoted 0 times
...

Save Cancel