I like D because you need to know the amount of risk (risk appetite) that the organization wants to take on in order to know to what degree your controls need to be at. B sounds good as well but I like D. Two cents.
Team, you need the risk apetite even before the selection of the risk framework. Applying a risk management framework in an organization requires a keen understanding of the organization’s mission, objectives, strategies, cultures, practices, structure, financial condition, risk appetite, and level of executive management support.
Gregory, Peter H.; Gregory, Peter H.. CISM Certified Information Security Manager Bundle (pp. 172-173). McGraw Hill LLC. Kindle Edition.
ISACA defines risk appetite as the level of risk that an organization is willing to accept while in pursuit of its mission, strategy, and objectives, and before action is needed to treat the risk.
Gregory, Peter H.; Gregory, Peter H.. CISM Certified Information Security Manager Bundle (pp. 57-58). McGraw Hill LLC. Kindle Edition.
B - The question asks about what MUST be defined for evaluating the appropriateness of controls currently in place. The risk management framework provides the structure for assessing and managing risks, including defining risk appetite.
the word "evaluate", makes me go for B. Ok, if you know the risk appetite what do you do? how do you evaluate if a control already in place is too much or not enough based on the risk appetite? you need a process to evaluate it, right? a Risk Management process, the risk appetite is an input in the Risk management process.
• Risk Management
- Process of identifying, assessing, and prioritizing risks to an organization
- Evaluation of existing controls and new controls based on business strategy
As you can see the answer to the question is clearly defined under bullet 2. The best answer is B.
A risk management framework provides the structure and processes for identifying, assessing, and managing risks within an organization. It outlines the methods and criteria for evaluating risks, including the selection and implementation of controls to mitigate those risks. By having a well-defined risk management framework, the information security manager can systematically assess the effectiveness and appropriateness of the controls currently in place and identify any gaps or areas that may require improvement.
In order for an information security manager to evaluate the appropriateness of controls currently in place, the risk management framework must be defined.
A security policy sets out the overall principles and guidelines for protecting an organization's information, but it alone is not enough to evaluate the appropriateness of controls currently in place. The risk management framework, on the other hand, provides a systematic approach to identify, assess, and prioritize risks and determine the controls needed to manage them effectively. Therefore, a well-defined risk management framework is necessary to evaluate the appropriateness of controls in place.
upvoted 4 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
CarlLimps
Highly Voted 1 year, 8 months agoCarlPTY07
Highly Voted 1 year, 8 months agoBooict
Most Recent 3 months, 2 weeks agoyottabyte
8 months agoMarcelus1714
9 months, 1 week agoPOWNED
9 months, 3 weeks agomaisarajarrah
10 months, 2 weeks agotestersaj
1 year, 1 month agoafc1019
1 year, 3 months agorichck102
1 year, 4 months agojennarink13
1 year, 4 months agoSouvik124
1 year, 9 months agoAlexJacobson
9 months, 3 weeks agoBroesweelies
1 year, 9 months ago