Exam CISM topic 1 question 13 discussion

Let me begin by saying that like most, after seeing ‘acceptable risk levels’ in the question, I jumped head-on to choose, B, Risk Assessment. But working this backward, I approached this as a PROJECT, and CBA made perfect sense. The security initiative is usually the result of a risk assessment process, undertaken to mitigate the risks that are above acceptable levels. A (re-)assessment of the same risk, post-initiative, would be a lengthy, more tedious effort. On the other hand, risk assessment informs the cost-benefit analysis for the initiative’s business case. The CBA can be used post-implementation to evaluate the realization of proposed benefits. Refer to ISACA REVIEW MANUAL, page 144, 1st para, which states that benefits in the context of information security initiatives is the reduction of risk (to acceptable levels at acceptable cost).

I also think is B for the following reason: A cost-benefit analysis in my opinion is done in order to take a decission whether implementing a mitigation control would be profitable to reduce the rist to an acceptable level. In this case the decision has alread been taken and controls have been implemented, so to actually evaluate whether the implemented controls were indeed effective to reduce the rist to an acceptable level is to do a risk assessment to evaluate the current risk. So answer B is the right one for me.

A risk assessment is a systematic process of evaluating potential risks, vulnerabilities, and threats to an organization's information assets. By conducting a risk assessment, the information security manager can identify, analyze, and evaluate the effectiveness of the implemented controls in mitigating the identified risks. This provides valuable information for determining whether the risk has been reduced to an acceptable level. While other activities, such as initiating a cost-benefit analysis of the implemented controls (option A), reviewing the risk register (option C), and conducting a business impact analysis (BIA) (option D) are important components of an overall risk management process, performing a risk assessment is specifically focused on evaluating the effectiveness of the security controls in addressing identified risks.

A risk assessment, on the other hand, provides a comprehensive evaluation of the organization's information security posture, taking into account the current threat landscape, vulnerabilities, and implemented controls. By comparing the risk assessment results before and after the initiative, the information security manager can determine whether the initiative has successfully reduced risk to an acceptable level.

I think B yes.

yep Cost Benefit would be more sound cuz it would be a measurement. A cost-benefit analysis is the process used to measure the benefits of a decision or taking action minus the costs associated with taking that action.

Pages 98-100: Risk magagement lifecycle; cost benefit analysis show best mitigation approach, however there are 3 other risk treatment options.

Let me add another spin here to make things more complicated and say C-Risk Register. So an organisation did a security activity and they want to measure the risk level (basically if the risk is accepted). A risk assessment is done in order to find gaps, vulnerabilities, threats, etc and based on what you find you update the Risk Register. So as a manager, I would review the risk register to see where we stand after the security activity, what are the risk levels before and after the security activity. Thank me later for confusing you more :)

I'd go with B, as you are (re)assessing the residual risk here. CBA does not do that, risk assessment does it. So unless I'm missing some obscure and tricky details, it's B. :)

You're tasked with accessing the performance of newly implemented controls against an previously known risk ranking.

Assesment of residual risk is needed to determine if its on acceptable level. B

i WILL GO WITH michi23: I also think is B for the following reason: A cost-benefit analysis in my opinion is done in order to take a decission whether implementing a mitigation control would be profitable to reduce the rist to an acceptable level. In this case the decision has alread been taken and controls have been implemented, so to actually evaluate whether the implemented controls were indeed effective to reduce the rist to an acceptable level is to do a risk assessment to evaluate the current risk. So answer B is the right one for me.

B. What does figuring out the price of implemented controls have to do with deciding if it has met the objectives of the implemented controls? Cost is never mentioned and has NOTHING to do with if we are reducing risk or not. The answer should be B.

Im failing to see how cost is relevant in determing if the controls reduced risk to an acceptable level. We dont care about cost here, we care about if what we did worked to get risk to an acceptable level. To do so, we must re-assess risk and the results of the risk assessment will be compared against our acceptable risk to say whether the level is acceptable.

Answer is A - I read the question as "security manager has been asked to determine whether an information security initiative has reduced risk to an acceptable level" . So the implementation is already done and now we need to verify the effectiveness so here Cost verses current risk appetite.

According to ChatGPT its Risk assessment: Cost-benefit analysis can assist in evaluating the costs and benefits associated with managing risks. It helps in assessing the potential risks, their likelihood, and the potential costs of mitigation measures, allowing organizations to make informed decisions about risk management strategies.

B. Performing a risk assessment