New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca CISM Exam - Topic 3 Question 61 Discussion

Actual exam question for Isaca's CISM exam
Question #: 61
Topic #: 3
[All CISM Questions]

Which of the following BEST facilitates an information security manager's efforts to obtain senior management commitment for an information security program?

Show Suggested Answer Hide Answer
Suggested Answer: A

When preventive controls to appropriately mitigate risk are not feasible, the most important action for the information security manager is to manage the impact, which means taking measures to reduce the likelihood or severity of the consequences of the risk. Managing the impact can involve using alternative controls, such as engineering, administrative, or personal protective controls, that can lower the exposure or harm to the organization. The other options, such as identifying unacceptable risk levels, assessing vulnerabilities, or evaluating potential threats, are part of the risk assessment process, but they are not actions to mitigate risk when preventive controls are not feasible. Reference:

https://bcmmetrics.com/risk-mitigation-evaluating-your-controls/

https://www.osha.gov/safety-management/hazard-prevention

https://www.cdc.gov/niosh/topics/hierarchy/default.html


by Glen at Aug 04, 2023, 02:35 PM

Limited Time Offer

25%

Off

Get Premium CISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Jacinta
3 months ago
Surprised that inherent risk isn't the top choice for everyone!
upvoted 0 times
...
Jannette
3 months ago
Wait, how does reporting maturity help get commitment?
upvoted 0 times
...
Adell
4 months ago
Totally agree with D, residual risk is what they care about!
upvoted 0 times
...
Bev
4 months ago
I think compliance requirements are more important.
upvoted 0 times
...
Pearlene
4 months ago
Presenting evidence of inherent risk is key!
upvoted 0 times
...
Elise
4 months ago
I lean towards presenting compliance requirements since management often cares about regulations, but I wonder if inherent risk might resonate more with them.
upvoted 0 times
...
Anabel
4 months ago
I practiced a similar question where communicating residual risk was the key, but I can't recall if that was the most effective approach.
upvoted 0 times
...
Jaime
5 months ago
I think reporting the security maturity level might help, but I feel like compliance requirements could also be a strong argument for getting commitment.
upvoted 0 times
...
Iesha
5 months ago
I remember we discussed how presenting evidence of inherent risk can really grab management's attention, but I'm not sure if it's the best option here.
upvoted 0 times
...
Tu
5 months ago
I think the answer has to do with building rapport and making the caller feel valued. Using their name creates a more personal connection. I'll make sure to explain that in my response.
upvoted 0 times
...
Sheridan
5 months ago
This seems like a tricky question, but I think I have a good strategy. I'll focus on the key requirements of protecting PII and using the DLP API efficiently.
upvoted 0 times
...
Isadora
5 months ago
I think this is about reusing content efficiently. Experience fragments seem like the best way to maintain consistency across pages.
upvoted 0 times
...
Shaun
9 months ago
Ah yes, the good old 'compliance' card. Because nothing says 'security' quite like a stack of regulations.
upvoted 0 times
...
Carin
9 months ago
Inherent risk? More like 'inharent' risk, am I right? *wink wink*
upvoted 0 times
Malissa
8 months ago
D) Communicating the residual risk
upvoted 0 times
...
Georgene
8 months ago
C) Presenting compliance requirements
upvoted 0 times
...
Kimberely
8 months ago
B) Reporting the security maturity level
upvoted 0 times
...
Ezekiel
8 months ago
A) Presenting evidence of inherent risk
upvoted 0 times
...
...
Alita
10 months ago
Communicating the residual risk is a great way to show how much exposure the organization still faces, even with existing controls. This could really get their attention.
upvoted 0 times
...
Carmelina
10 months ago
Compliance requirements are important, but they don't necessarily convey the urgency. We need to speak the language of risk and business impact.
upvoted 0 times
Charlene
8 months ago
D) Communicating the residual risk
upvoted 0 times
...
Domingo
8 months ago
B) Reporting the security maturity level
upvoted 0 times
...
Maurine
9 months ago
A) Presenting evidence of inherent risk
upvoted 0 times
...
...
Jacqueline
10 months ago
Reporting the security maturity level is a bit too technical for this purpose. Senior management is more interested in the botJacqueline line impact.
upvoted 0 times
Polly
9 months ago
D) Communicating the residual risk
upvoted 0 times
...
Gwenn
10 months ago
A) Presenting evidence of inherent risk
upvoted 0 times
...
...
Gene
11 months ago
Presenting evidence of inherent risk seems like the logical choice here. Senior management needs to understand the true threat landscape to take security seriously.
upvoted 0 times
...
Paris
11 months ago
I believe communicating the residual risk is also important. It shows what risks still exist even after security measures are in place.
upvoted 0 times
...
Earleen
11 months ago
I agree with Diane. Showing the potential risks will help senior management understand the importance of the security program.
upvoted 0 times
...
Diane
11 months ago
I think presenting evidence of inherent risk is the best way to get senior management commitment.
upvoted 0 times
...

Save Cancel