Exam CISM topic 1 question 916 discussion

D. Determine if the risk is within the risk appetite.

D for sure. How can you be thinking of controls when you haven't verified it risk is within org acceptable threshold?

D. Determine if the risk is within the risk appetite. When it comes to residual risk, determining the risk appetite is most essential. If the residual risk is within the organizations risk appetite threshold then the residual risk can be managed but if it is above the organizations risk appetite threshold then the organization could decide on other measures like risk transference e.g. Insurance... etc.

B is done, then is D, Then C and Then A

D. Determine if the risk is within the risk appetite

After completing a risk assessment and determining the residual risk, the NEXT step would typically be: C. Conduct an evaluation of controls. Conducting an evaluation of controls involves assessing the effectiveness of the existing controls in place to mitigate the identified risks. This step helps determine whether the controls are adequate or if additional measures are needed to reduce the residual risk further. By evaluating controls, the information security manager can identify any gaps or weaknesses in the current control environment. This evaluation allows for an informed decision-making process regarding the implementation of countermeasures to mitigate the risks effectively.

C. Conduct an evaluation of controls. Once you have identified the residual risk, you should assess the effectiveness of the existing controls or countermeasures in place to mitigate that risk. This evaluation helps you understand whether the controls are adequate or if additional measures are required. It is essential to ensure that the controls are functioning as expected and providing the desired level of risk reduction. After the evaluation of controls, you can proceed with implementing countermeasures if necessary or determine if the risk is within the organization's risk appetite.