I choose D because since we already know the gap exists (inherent risk > acceptable risk), then there’s no need to assess the gap again. It's time to implement those appropriate controls.
Before taking any specific actions such as transferring risk (Option A), recommending avoidance of the business activity (Option B), or implementing controls (Option D), it's crucial to conduct a thorough assessment of the gap between the current inherent risk and the acceptable risk level. This involves evaluating the specific risks associated with the activity, understanding the potential impact on the organization, and determining the feasibility and effectiveness of various risk management strategies. Assessing the gap provides a foundation for making informed decisions and selecting the most appropriate risk mitigation measures.
C. assess the gap between the current and acceptable level of risk.
Assessing the gap between the current level of risk and the acceptable level of risk is the initial step in understanding the nature and magnitude of the risk exposure. This assessment will help the information security manager make informed decisions about how to proceed.
Once the gap has been assessed, the information security manager can then consider various risk management options, such as implementing controls to mitigate the risk to an acceptable level (option D), transferring the risk to a third party (option A), or recommending that management avoid the business activity (option B). However, understanding the gap is essential before determining which risk management strategy is most appropriate for the specific situation.
My analysis:
A. transfer risk to a third party to avoid cost of impact. ==> need to perform assessment whether this treatment will reduce the risk to acceptable level
C. assess the gap between current and acceptable level of risk. ==> not, because we already now that it is above risk appetite, so gap analysis already been done
D. implement controls to mitigate the risk to an acceptable level. ==> security manager can not implement controls, but the business user
B. recommend that management avoid the business activity. ==> the remaining and best answer
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
d3vnu77
Highly Voted 1 year, 3 months agoSHERLOCKAWS
Most Recent 3 weeks, 1 day agoViperhunter
5 months, 2 weeks agooluchecpoint
8 months, 1 week agokaranvp
10 months, 3 weeks agorichck102
11 months, 2 weeks agoromero318
11 months, 3 weeks agoCISM_newbie
1 year, 1 month agovavofa5697
1 year, 2 months ago[Removed]
10 months, 2 weeks agoMSKid
1 year, 6 months ago