Exam CISM topic 1 question 86 discussion

If the senior management just accepted, than the impact was already measure. I'd go with C

accepting a risk can only be done after assessing its impact.

The scenario provided in the question indicates that senior management has already accepted the risk, which implies that an impact assessment has likely already been conducted as part of the decision-making process.

C. Update details within the risk register. Once senior management has accepted the risk of noncompliance with a new regulation, the Information Security Manager should document the decision within the risk register. The risk register is a tool used for tracking identified risks and their status, including what decision has been made regarding each risk. Updating the risk register will provide a formal record of the decision and ensure that there is clear documentation, which is essential for future review and audits. It also serves as a reference point for any related risk treatment or mitigation activities that may become necessary later. Reporting the decision to the compliance officer, reassessing the organization's risk tolerance, and assessing the impact of the regulation are actions that would typically occur before the acceptance of risk by senior management, not after.

Updating details within the risk register is the next logical step after senior management accepts the risk. This includes documenting the decision, the rationale behind it, and any additional information relevant to the acceptance of noncompliance. The risk register serves as a central repository of information about identified risks and the organization's approach to managing them. While reporting the decision to the compliance officer (Option A) is important for transparency and communication, reassessing the organization's risk tolerance (Option B) is not necessary immediately after a risk acceptance decision. Assessing the impact of the regulation (Option D) should have already been done during the risk assessment process. Therefore, updating the risk register is the most appropriate immediate action.

Answer should be C. If the impact has not been assessed, on what basis did the senior management made their decision on? After it has been accepted, it should be recorded in the register and wait to be review again.

I will go with C. For risk to be accepted, the rest of the work must have already been done. C should be the next step after accepted. Registering the risk

You would assess the impact and then update the register.

B and D should already have been done to allow management to make the decision. The answer is C

acceptance is a treatment. so its needed to be document in the risk register

C. Update details within the risk register. Updating the risk register is essential because it documents the organization's risk landscape, including risks that have been accepted by senior management. This step ensures that the decision to accept noncompliance with the new regulation is properly recorded and that any associated information, such as the rationale behind the decision and any risk mitigation measures, is documented.

C is the best answer. It is obviously assumed that a non-compliance risk has already been identified and impacts assessed. Due to its nature, the risk of non-compliance with regulation has certainly been initially marked as "unacceptable" in the Risk Register. The decision to accept the risk, maybe pursuant a cost-benefit analysis, implies a change in risk appetence and so a risk register update.

Senior management acceptance is a done deal and should go into the risk registe

What is the need of Assess the risk once it has been accepted. Assessment could have been done just before the management acceptance. (Reassessment may be required later stage due to risk environment changes; not immediately once approved)

Management accepted the risk. Next is to update the register to document that the risk has been accepted.

C. Update details within the risk register.

The correct answer is (C) cause that is the only thing that the security manager is responsible for and can act on. Rationale: (A) isn't right cause the compliance officer already knows. It's part of his job (B) This is outside the scope of the security manager's role and is the job of the board of directors. (D) This is the job of the compliance officer. More verbose details: Chief Compliance offer is responsible for: - Assessing the impact of the new regulation on the organization. - Developing and implementing a plan to comply with the regulation. - Monitoring the organization's compliance with the regulation. - Reporting on the organization's compliance to senior management.