New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca CISM Exam - Topic 4 Question 59 Discussion

Actual exam question for Isaca's CISM exam
Question #: 59
Topic #: 4
[All CISM Questions]

When preventive controls to appropriately mitigate risk are not feasible, which of the following is the MOST important action for the information security manager?

Show Suggested Answer Hide Answer
Suggested Answer: A

When preventive controls to appropriately mitigate risk are not feasible, the most important action for the information security manager is to manage the impact, which means taking measures to reduce the likelihood or severity of the consequences of the risk. Managing the impact can involve using alternative controls, such as engineering, administrative, or personal protective controls, that can lower the exposure or harm to the organization. The other options, such as identifying unacceptable risk levels, assessing vulnerabilities, or evaluating potential threats, are part of the risk assessment process, but they are not actions to mitigate risk when preventive controls are not feasible. Reference:

https://bcmmetrics.com/risk-mitigation-evaluating-your-controls/

https://www.osha.gov/safety-management/hazard-prevention

https://www.cdc.gov/niosh/topics/hierarchy/default.html


by Carin at Jul 07, 2023, 10:41 PM

Limited Time Offer

25%

Off

Get Premium CISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Yuriko
3 months ago
Evaluating potential threats is crucial too, though.
upvoted 0 times
...
Carey
3 months ago
Surprised that managing the impact isn't the top choice!
upvoted 0 times
...
Eve
4 months ago
But isn't assessing vulnerabilities just as important?
upvoted 0 times
...
Marnie
4 months ago
Totally agree, you can't manage what you don't know!
upvoted 0 times
...
Ming
4 months ago
I think identifying unacceptable risk levels is key.
upvoted 0 times
...
Truman
4 months ago
Evaluating potential threats could be relevant, but I wonder if it’s more about what to do after the fact rather than the immediate action needed.
upvoted 0 times
...
Tamar
4 months ago
Assessing vulnerabilities seems important too, but I feel like it might come after managing the impact.
upvoted 0 times
...
Eden
5 months ago
I remember a practice question that emphasized identifying unacceptable risk levels as a key step, so I might lean towards option B.
upvoted 0 times
...
Hector
5 months ago
I think managing the impact is crucial when preventive controls fail, but I'm not entirely sure if it's the most important action.
upvoted 0 times
...
Natalya
5 months ago
Hmm, I'm not super familiar with 5S programs. The wording about "learning and demonstration purposes" makes me think the answer is True, but I'm not 100% sure. I'll have to think this through carefully.
upvoted 0 times
...
Millie
5 months ago
This question seems straightforward. I'll carefully read the options and choose the one that best matches the information provided in the prompt.
upvoted 0 times
...
Adrianna
5 months ago
I'm a bit confused by the different namespace prefixes used in the answer choices. I'll need to make sure I understand how those work in the context of this YANG data model.
upvoted 0 times
...
Shawnna
5 months ago
Key steps: Calculate required return using CAPM formula, then compare to current market price. Watch for systematic vs. unsystematic risk differences.
upvoted 0 times
...

Save Cancel