Exam CISA topic 1 question 1334 discussion

This is C. You have to know mitigation efforts are put in place.

Any view about Residual Risk - When evaluating an information security risk assessment, Residual Risk is the most important to review to understand how effectively risks have been reduced. Here’s why: • Residual Risk represents the level of risk remaining after all mitigation efforts and controls have been applied. It directly shows the effectiveness of these risk management strategies in reducing the overall risk. • Mitigation Efforts and Control Effectiveness are important for understanding what measures are in place and how well they work. However, Residual Risk provides the final measure of the risk that still exists after these efforts, making it the most direct indicator of how much risk has been successfully reduced.

While both options C and D are relevant in assessing risk reduction, reviewing mitigation efforts (option C) offers a broader understanding of the proactive measures taken by the organization to mitigate security risks comprehensively.

Answer is C Mitigation efforts refer to the actions taken to reduce or mitigate identified risks. while option D Control effectiveness refers to the extent to which implemented controls achieve their intended objectives.

D. Control effectiveness Control effectiveness is a measure of how well controls are reducing risk. By evaluating the effectiveness of controls, you can understand how much risk is being mitigated.

Mitigation efforts refer to the actions and controls put in place to reduce the impact and likelihood of identified risks. so, the right choice is C.