exam questions

Exam CISM All Questions

View all questions & answers for the CISM exam

Exam CISM topic 1 question 90 discussion

Actual exam question from Isaca's CISM
Question #: 90
Topic #: 1
[All CISM Questions]

If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:

  • A. transfer risk to a third party to avoid cost of impact.
  • B. recommend that management avoid the business activity.
  • C. assess the gap between current and acceptable level of risk.
  • D. implement controls to mitigate the risk to an acceptable level.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Viperhunter
3 months, 3 weeks ago
Selected Answer: C
Before taking any specific actions such as transferring risk (Option A), recommending avoidance of the business activity (Option B), or implementing controls (Option D), it's crucial to conduct a thorough assessment of the gap between the current inherent risk and the acceptable risk level. This involves evaluating the specific risks associated with the activity, understanding the potential impact on the organization, and determining the feasibility and effectiveness of various risk management strategies. Assessing the gap provides a foundation for making informed decisions and selecting the most appropriate risk mitigation measures.
upvoted 1 times
...
oluchecpoint
6 months, 2 weeks ago
C. assess the gap between the current and acceptable level of risk. Assessing the gap between the current level of risk and the acceptable level of risk is the initial step in understanding the nature and magnitude of the risk exposure. This assessment will help the information security manager make informed decisions about how to proceed. Once the gap has been assessed, the information security manager can then consider various risk management options, such as implementing controls to mitigate the risk to an acceptable level (option D), transferring the risk to a third party (option A), or recommending that management avoid the business activity (option B). However, understanding the gap is essential before determining which risk management strategy is most appropriate for the specific situation.
upvoted 2 times
...
karanvp
8 months, 4 weeks ago
B is not correct answer because it say Risk Avoidance.
upvoted 1 times
...
richck102
9 months, 3 weeks ago
C. assess the gap between current and acceptable level of risk.
upvoted 1 times
...
romero318
10 months ago
Selected Answer: C
As stated before what would you do " FIRST". Every thing else false in line after based on the results of the Gap analysis
upvoted 2 times
...
CISM_newbie
11 months, 1 week ago
Key word is do "FIRST"... conduct a GAP then look to put mitigation measures in place..
upvoted 1 times
...
vavofa5697
1 year, 1 month ago
Selected Answer: B
My analysis: A. transfer risk to a third party to avoid cost of impact. ==> need to perform assessment whether this treatment will reduce the risk to acceptable level C. assess the gap between current and acceptable level of risk. ==> not, because we already now that it is above risk appetite, so gap analysis already been done D. implement controls to mitigate the risk to an acceptable level. ==> security manager can not implement controls, but the business user B. recommend that management avoid the business activity. ==> the remaining and best answer
upvoted 1 times
[Removed]
8 months, 3 weeks ago
But it says inherent risk. so there are no controls implemented yet. if residual risk is higher then you might recommend avoidance.
upvoted 1 times
...
...
d3vnu77
1 year, 1 month ago
D, the question implies the gap analysis is completed and acceptable is lower than risk of new business.
upvoted 4 times
...
MSKid
1 year, 5 months ago
Selected Answer: C
GAP Analysis is the best answer
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago