Exam CISM topic 1 question 187 discussion

D. Align with the risk appetite is the information security manager's best approach when selecting cost-effective controls needed to meet business objectives. The risk appetite is the level of risk that an organization is willing to accept in order to achieve its objectives. It is a key consideration when selecting controls, as it determines how much the organization is willing to invest in security. A security manager should align the controls with the risk appetite by considering the potential impact of a security incident on the organization and the likelihood of it occurring. This approach allows the security manager to select cost-effective controls that are appropriate for the organization's specific needs and budget, while also ensuring that the organization's assets and operations are protected. This approach also allows the organization to prioritize the most critical risks and allocate resources accordingly, ensuring that the most important risks are addressed first.

Risk appetite - Company at different maturity level have different risk appetite and have different view on spending. E.g Startup could be more risk adverse and willing to take more risk therefore spend less on security

A: Conduct Gap Analysis , Page 64 . Gap Analysis areas of review include Effective controls that have been designed , implemented and maintained

D By aligning with the risk appetite, an information security manager ensures that the security controls implemented are in line with the organization's overall risk tolerance. This approach allows for a balanced and cost-effective selection of controls that are neither overly restrictive nor insufficient for the organization's needs.

Answer D: Capability of Control is enough to achieve Accepted Risk level

A. Conduct a gap analysis.

some of the controls you already have in place may mitigate risk therefore reducing the need for new controls

at first, choose gap analysis.