Isaca Exam CISM Topic 3 Question 62 Discussion

Actual exam question for Isaca's CISM exam

Question #: 62
Topic #: 3

[All CISM Questions]

Which of the following is the MOST important factor in an organization's selection of a key risk indicator (KRI)?

AReturn on investment (ROI)

BCompliance requirements

CTarget audience

DCriticality of information

Show Suggested Answer

Suggested Answer: A

When preventive controls to appropriately mitigate risk are not feasible, the most important action for the information security manager is to manage the impact, which means taking measures to reduce the likelihood or severity of the consequences of the risk. Managing the impact can involve using alternative controls, such as engineering, administrative, or personal protective controls, that can lower the exposure or harm to the organization. The other options, such as identifying unacceptable risk levels, assessing vulnerabilities, or evaluating potential threats, are part of the risk assessment process, but they are not actions to mitigate risk when preventive controls are not feasible. Reference:

https://bcmmetrics.com/risk-mitigation-evaluating-your-controls/

https://www.osha.gov/safety-management/hazard-prevention

https://www.cdc.gov/niosh/topics/hierarchy/default.html

by Carlee at Sep 03, 2023, 03:43 PM

Limited Time Offer

25%

Off

Get Premium CISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Hubert

6 days ago

I think the criticality of information is the most important factor in selecting a KRI. After all, if the information isn't critical, why bother tracking it?

upvoted 0 times

...