Exam CISM topic 1 question 629 discussion

"The business is unwilling to allocate resource to remediate the issue". Then, you don't even have resource for alternative compensating controls. Discontinuing the use of the legacy application is another way to solve the problem but it also requires resources. Then, I would present the worst case scenario to the business manager and if they still don't want to allocate resources I would document the risk acceptance.

Presenting the worst-case scenario communicates the potential SLE to the business, helping them understand financial implications and make informed decisions. Documentation supports this process by providing evidence of the assessment, SLE, and risk acceptance, contributing to good risk governance

no other choice but risk acceptance

Correct answer is A: Document risk acceptance from the business. Because it ensures proper accountability, supports risk governance, and allows the security manager to move forward with a recorded decision. According to CISM Domain 2 Risk Management: If the business has explicitly chosen not to allocate resources to remediate the high-risk issue, the security manager's responsibility is to: Ensure the risk is clearly documented, Verify the decision has been made by the appropriate authority, and record it as a formal risk acceptance — including rationale, impact, and accountability, which is the case here.

D would not make a difference since the risk was already presented and risk assessment was performed. When the business is unwilling to allocate resources to remediate a high-risk issue, the BEST course of action for the information security manager is to identify and design compensating controls that reduce the risk to an acceptable level. This demonstrates a proactive approach to mitigating risk while working within the constraints of the business. CISM emphasizes the importance of finding balanced solutions that address risks without disrupting operations unnecessarily.

"The business is unwilling to allocate the resources to remediate the issue." They should be already aware of the issue and its consequences, so D should be in the past. I go for C.

IMO, the term remediate means to correct or resolve the issue. Business is unwilling to do so. That still leaves the door open to compensating controls.

Its C This approach allows you to manage the risk within the constraints imposed by the business, providing a balance between risk management and resource allocation.

@Salilgen, you are spot on.

With isaca you have to always be aware of the key all cap words in the question. For this question it is "BEST", not "FIRST". With this reasoning the best answer is C.

It doesn't say reluctant, it says unwilling. Any time spent by a resource going forward, which includes designing compensating controls is in direct defiance of the business decision. It is A

If the business understands the risks associated with the legacy application and still decides not to allocate resources for its remediation, it is crucial to obtain and document formal risk acceptance from relevant business stakeholders. This ensures that the decision is well-informed, and accountability is clear.

Documentation of Risk Acceptance: When a high-risk issue is discovered, and the business is unwilling to allocate resources for remediation, it's crucial to formally document their decision to accept the risk. This documentation serves as a record of the business's awareness of the risk and their decision not to mitigate it. It also helps in clarifying responsibilities and accountabilities.

C looks right

C. Design alternative compensating controls to reduce the risk.

I concur with Cal on this. It's about the best action, not the first action.

Read the question: The BEST action is C. Obviously the first action is A,