Exam CISM topic 1 question 244 discussion

If the exception is to be approved by senior management, clearly it does NOT fall under the organization's risk appetite. I answer A

C. Exceptions reflect the organizational risk appetite. While all of the options are important in the context of information security, ensuring that exceptions align with the organization's risk appetite is crucial. This means that exceptions should be evaluated and granted or denied in a way that takes into account the organization's tolerance for risk. If an exception introduces too much risk or deviates significantly from the established risk tolerance, it could jeopardize the overall security of the organization. Therefore, aligning exceptions with the organization's risk appetite is a fundamental consideration in the exception management process.

If C said "tolerance" instead of "appetite", then I would've considered C as a correct answer. As it is, A seems the most correct to me.

It has to be approved by executive else it doesn't matter if it is or not within the risk appetite

An exception can exceed organization risk apetite but within risk tolerance levels and accepted by management

C. Exceptions reflect the organizational risk appetite. While all of the options are important in the context of information security, ensuring that exceptions align with the organization's risk appetite is crucial. This means that exceptions should be evaluated and granted or denied in a way that takes into account the organization's tolerance for risk. If an exception introduces too much risk or deviates significantly from the established risk tolerance, it could jeopardize the overall security of the organization. Therefore, aligning exceptions with the organization's risk appetite is a fundamental consideration in the exception management process.

Such trade￾offs should be considered in the policy development process, when possible, to minimize the need for subsequent exceptions. As part of the program development, a formal waiver process should be implemented to manage the life cycle of these exceptions to ensure they are periodically reviewed and, when possible, closed. Any such policy exceptions must be assessed for risk and impact prior to implementation and the identified risk accepted by appropriate levels of management.

Risk Appetite

C. Exceptions reflect the organizational risk appetite.

The most important thing to ensure when considering exceptions to an information security policy is that exceptions reflect the organizational risk appetite. This means that the organization's risk management strategy and risk appetite should be taken into account when determining whether to grant an exception to the security policy. An organization's risk appetite is its tolerance for risk and the level of risk that it is willing to accept in order to achieve its business objectives. Exceptions to the security policy should not exceed the organization's risk appetite, and should be carefully evaluated to ensure that they do not create unacceptable risks.