Exam CISM topic 1 question 188 discussion

I feel that It should be B. Document and present it to senior leadership of the noncompliance and have them decide since they're ultimately accountable. Open to suggestions.

A. Document and schedule a date to revisit the issue. When a risk has been identified and the business process owner has chosen to accept it, the information security manager's next course of action should be to document the decision and schedule a date to revisit the issue in the future. This allows the organization to periodically review the risk and determine if the cost of remediation has decreased, the risk has changed, or the impact of the risk has increased. This also allows the organization to track the risk over time and make informed decisions about whether to accept or mitigate the risk in the future.

I think A Cannot be correct. A basically says that the remediation is not cost effective and therefore it should be accepted. However, a risk should only be accepted, if the risk is below the acceptable risk level. Hence, the security manager may recommend a more cost effective way to mitigate the risk - therefore answer D should be correct.

Close but scheduling a date is to vague. B makes more sense. Also, should be management's decision.

B is the choice, business owner could be a leader or a head in a particular unit in an organization, he does not have the final say, so document and escalate to senior management is the best choice for them to decide

Need to notify senior management of the BPO's decision. Answer is B

B, bpo cannot accept risk

A. Document and schedule a date to revisit the issue.

A is correct answer.