Exam CISM topic 1 question 224 discussion

The most important for an information security manager to communicate to stakeholders when approving exceptions to the information security policy is the impact on the risk profile. This includes the potential risks that may arise from granting the exception, and any potential impact on the confidentiality, integrity, and availability of the organization's data and systems. This information should be communicated in a clear and concise manner, so that stakeholders can understand the implications of the exception and make an informed decision.

I felt it is C, they are taking exceptions, which means they are going to accept the risks. What needs to be decided next is how often to review these exceptions.

B..If it's an exception that stakeholders should know the compensation controls so they could know the mitigation process for these risk .

Impact to risk profile and potential compesating controls are already communicated before exception approved. Review period is remaining and best option

Per Review Manual: "Any such policy exceptions must be assessed for risk and impact prior to implementation and the identified risk accepted by appropriate levels of management."

B. Need for compensating controls. Communicating the need for compensating controls ensures that stakeholders understand how the increased risk associated with the exception will be mitigated and helps maintain a reasonable level of security while accommodating specific business needs.

Communicating the impact on the risk profile is crucial because exceptions to the information security policy have the potential to introduce additional risks to the organization. By clearly articulating the impact, the information security manager can help stakeholders understand the potential consequences and make informed decisions regarding the exception.

B. Need for compensating controls

I would think that if they're at the point of approving then they have already past talking about impacts.

Risk profile.