Exam 712-50 topic 1 question 211 discussion

I think this should the Board Of Director. I think they must determine the Risk Appetite of the business and NOT the Business Units. The Business Units could be compensating?

BOD determine

B. NIST Special Publication 800-39 (Managing Information Security Risk): This publication underscores the importance of senior leadership, including the Board, in setting the organization's risk appetite.

accountable, business units, hence they determine appetite. Responsible, Board of Directors and senior leadership, They accept or reject the recommendation.

Poorly phrased question, IMO. I agree with @Rufus1. It also depends on the size and type of organization.

The risk appetite is typically determined by the Board of Directors, making option B the correct answer. The Board of Directors holds the overall responsibility for setting the strategic direction and objectives of an organization, including its risk management approach. The risk appetite represents the level of risk that an organization is willing to accept in pursuit of its objectives. It reflects the organization's tolerance for risk and guides decision-making processes regarding risk management.

Answer is B. The risk appetite of an organization refers to the level of risk that an organization is willing to accept to achieve its objectives. This decision is typically made by senior management or the board of directors, as they are responsible for setting the overall strategic direction and risk tolerance of the organization. Business units, audit and compliance, and security may provide input into the risk appetite decision-making process, but they do not typically have the authority to make the final decision.

Business Unit may not have the knowledge of Risk, CISO is expected to present it to Board of Directors for approval.

"Determined"... Can be Business Units to determine, and Board to approve. Very debating choices...

B Board of directors

Board of directors