Exam CISM topic 1 question 904 discussion

I would go with B, Emerging Risk Trends. The question is specifically asking about a condition when a compensating control becomes relevant in the presence of other known controls. In this case, we have already assessed the risk. You only invest in compensating controls if existing one can’t help and that’s usually caused by a new threat/ emerging risks which can’t be treated with what we already have.

I'd say it's D. C would be done first to identify vulnerabilities in existing systems and controls, and then risk analysis can be used to (ideally) quantify the risk of a threat exploiting the vulnerability. This would lead to making a case for investing in additional compensating controls to mitigate the risk.

The best justification for spending on a compensating control would be option D: Risk analysis. Risk analysis involves identifying and assessing potential risks and their potential impact on an organization's assets. By conducting a risk analysis, organizations can determine the most critical risks and prioritize their mitigation efforts. If a risk analysis reveals significant vulnerabilities or threats that cannot be fully mitigated by existing controls, investing in compensating controls becomes necessary to reduce the overall risk to an acceptable level. Root cause analysis (option A) helps in identifying the underlying causes of incidents, while emerging risk trends (option B) and vulnerability assessments (option C) provide valuable insights, but they do not directly justify spending on compensating controls.

D. Risk analysis

A 'Root cause analysis'

As the definition of 'Compensating Controls' goes, they reduce the risk of the weakness in an existing control(s). These weaknesses are discovered both during the assessment of controls done in the risk analysis process and the root cause analysis of an incident. However, the weakness that has resulted in an incident (i.e., a risk that has been realized) is a stronger justification than a potential risk that may or may not be realized. Therefore, I am leaning towards, A, 'Root cause analysis'

A risk analysis provides the necessary information to prioritize and allocate resources effectively. It helps determine the likelihood and potential consequences of various security threats and vulnerabilities, and it identifies the most critical areas where compensating controls may be needed. Therefore, risk analysis is the best justification for spending on compensating controls because it ensures that resources are allocated where they are most needed to reduce the organization's overall risk exposure.