Exam CISM topic 1 question 414 discussion

A. is the best answer. Why the heck would you do D AGAIN? You just did an assessment. Formally documenting to me means get this shit in front of the executives in the organziation and provide their awareness. Unfortunately, or fortunately, it is a CYA(Cover Your Ass) step as well, which is very important.

This is very tricky since the risk can't legally be accepted because it violates regulatory requirements. So documenting it would be formalizing a non-compliant action which is not a great move for a security manager. Answer D provides the formal trigger for moving the issue beyond the department head to someone who has the authority to make decisions that involve regulatory exposure.

When performing a risk reassessment, you will also look at the regulations and the current existing controls. After the reassessment you will formally document the decision.

A. Formally document the decision. This action ensures there is an official record of the department head's acceptance of the risks, which is crucial for transparency, accountability, and for any potential future disputes or investigations, especially given the regulatory implications.

risk accepted > track the decision

A. Formally document the decision.

I think B may the correct answer. Because the accepted risk is related to regulatory requirements; hence the SM first review regulations before go for other options

document the decision.

The risk assessment is already done. At this point you are just documenting the official decision.

A is correct, document the decision first and add it to the risk register.

The risk should be monitored

It should be to Document the decision

The risk assessment is already done!

A. Formally document the decision.

D. Perform a risk reassessment.

I think B