Exam CISM topic 1 question 736 discussion

I like A. Interesting word choices here, you are looking for commitment by senior management for an information security program. Meaning you don't have one. So providing evidence of inherent risk (risk of the control environment WITHOUT ANY controls) would be the best answer, IMO. So showing residual risk would be wrong because this would demonstrate risk AFTER you've already applied controls, the risk "LEFTOVER".

Present inherent risk is better than residual risk. Inherent risk may cause ata breaches, reputational damage, and financial loss.

Residual risk is what the org. Is facing now. If it is not within risk appetite levels than investment in security program to mitigate and bring it to acceptable levels is required.

C - it highlights the legal and regulatory obligations that the organization must meet. Option A is also important but may not be as compelling as compliance requirements. Inherent risks are often seen as part of the business environment, and senior management might prioritize them differently.

finally, i choose A. A or D are important while I think option A should be more harmful in general as those risks are not treated. Residual risk may be mitigated then may less harmful.

In my opinion best answer here is D. I agree with everything CISSPST mentioned.

D. Communicating the residual risk Communicating the residual risk is likely to be effective in obtaining senior management commitment for an information security program. Residual risk refers to the level of risk that remains after security controls and mitigation measures have been implemented. By presenting information about residual risk, the information security manager can demonstrate the ongoing vulnerabilities and potential impact on the organization if additional measures are not taken. While presenting evidence of inherent risk is important for understanding the initial risk landscape, focusing on residual risk provides a more nuanced and current assessment. Senior management is often concerned with making informed decisions to manage and accept residual risks effectively. Therefore, option D is likely to be the most persuasive in obtaining senior management commitment to enhance the information security program.

Presenting inherent risk makes sense when seeking funds, but for management's ongoing support/commitment IS needs to show evidence of alignment with business objectives, which in this case is by showing that residual risk is within acceptable levels. If we cannot achieve acceptable risk levels for existing risks, then presenting inherent risks will raise more questions for management than provide answers to 'why should they invest in IS?"

A. Presenting evidence of inherent risk Presenting evidence of inherent risk helps senior management understand the potential risks and threats that the organization faces, which is a crucial step in gaining their commitment to an information security program. It highlights the importance of addressing these risks and demonstrates the need for investment in security measures to protect the organization's assets and reputation.

A. Presenting evidence of inherent risk

Inherent risk may commit Sr. leaders. Residual risk are already treated and no impact on their commitments.

D. Communicating the residual risk

A. Presenting evidence of inherent risk. By presenting evidence of inherent risk, the information security manager can effectively communicate the potential impact and consequences of security incidents and vulnerabilities to senior management. This helps senior management understand the importance of investing in information security measures and the potential risks the organization faces without adequate protection. By highlighting the potential business impact, financial losses, reputational damage, and regulatory consequences associated with security risks, the information security manager can effectively make the case for senior management commitment to the information security program.

Presenting evidence of inherent risk is the BEST way to facilitate an information security manager's efforts to obtain senior management commitment for an information security program.