Exam CISM topic 1 question 90 discussion

Before taking any specific actions such as transferring risk (Option A), recommending avoidance of the business activity (Option B), or implementing controls (Option D), it's crucial to conduct a thorough assessment of the gap between the current inherent risk and the acceptable risk level. This involves evaluating the specific risks associated with the activity, understanding the potential impact on the organization, and determining the feasibility and effectiveness of various risk management strategies. Assessing the gap provides a foundation for making informed decisions and selecting the most appropriate risk mitigation measures.

C. assess the gap between the current and acceptable level of risk. Assessing the gap between the current level of risk and the acceptable level of risk is the initial step in understanding the nature and magnitude of the risk exposure. This assessment will help the information security manager make informed decisions about how to proceed. Once the gap has been assessed, the information security manager can then consider various risk management options, such as implementing controls to mitigate the risk to an acceptable level (option D), transferring the risk to a third party (option A), or recommending that management avoid the business activity (option B). However, understanding the gap is essential before determining which risk management strategy is most appropriate for the specific situation.

B is not correct answer because it say Risk Avoidance.

C. assess the gap between current and acceptable level of risk.

As stated before what would you do " FIRST". Every thing else false in line after based on the results of the Gap analysis

Key word is do "FIRST"... conduct a GAP then look to put mitigation measures in place..

My analysis: A. transfer risk to a third party to avoid cost of impact. ==> need to perform assessment whether this treatment will reduce the risk to acceptable level C. assess the gap between current and acceptable level of risk. ==> not, because we already now that it is above risk appetite, so gap analysis already been done D. implement controls to mitigate the risk to an acceptable level. ==> security manager can not implement controls, but the business user B. recommend that management avoid the business activity. ==> the remaining and best answer

D, the question implies the gap analysis is completed and acceptable is lower than risk of new business.

GAP Analysis is the best answer