Exam CISM topic 1 question 327 discussion

Risk is a function of probability and impact. When mitigating risk there are only two things that can be mitigated to reduce risk: Probability and impact. The probability is reduced by preventative controls. This means that the only thing left to reduce is impact option (D). Rationale: (A) The identification has already been done (B) the vulnerability has already been identified that is how the controls were selected to mitigate the risk as best as possible. (C) The threat has already been identified as controls has already been applied.

It is required to identify residual risk after applying the controls and then take actions ( Risk mitigation methods) on residual risk based on risk appetite

A. Identifying unacceptable risk levels is the correct answer. For those of you who say D. Managing the impact, keep in mind that you cannot manage the risk impact without first of all identifying if the risk level is acceptable or not. If the risk is within the company's risk appetite level then Managing the impact can happen. However, if the risk exceeds the company's risk appetite then eliminating the risk will be the next step. Managing the impact will not be relevant in that case. So A. is the correct answer.

D. Managing the impact

The correct answer is A. Identifying unacceptable risk levels. Explanation: When preventive controls to mitigate risk are not feasible, the most important action for the information security manager is to identify unacceptable risk levels. Here's why this option is the most important: A. Identifying unacceptable risk levels: In situations where preventive controls are not feasible, it's important to assess the potential risks that remain and determine if they are at an unacceptable level for the organization. Identifying unacceptable risk levels helps prioritize resources for appropriate risk treatment strategies, which could include alternative controls, risk acceptance, risk avoidance, or risk transfer. D. Managing the impact: Managing the impact is a key consideration, but identifying unacceptable risk levels comes before managing the impact. If risk levels are deemed unacceptable, strategies to manage the impact would be determined.

The whole job of Information Security is managing the impact

A. Identifying unacceptable risk levels

Creo que D es la única viable. Ya has aceptado el riesgo...

A. Identifying unacceptable risk levels. In situations where preventive controls cannot adequately mitigate the identified risks, it is crucial for the information security manager to identify and understand the unacceptable risk levels. This involves assessing the potential impact and likelihood of the risks materializing and determining whether they exceed the organization's risk tolerance or acceptable levels of risk. By identifying unacceptable risk levels, the information security manager can focus on implementing appropriate risk management strategies, such as risk acceptance, risk transfer, or risk mitigation through other means.

When preventive controls to appropriately mitigate risk are not feasible, the MOST important action for the information security manager is to identify unacceptable risk levels. This involves determining the level of risk that the organization is willing to accept based on the potential impact to the organization and the likelihood of the threat occurring. From there, the organization can make an informed decision on whether to accept the risk or implement other controls to manage the risk.

Answer should be A or not