CISM Question #320: Real Exam Question with Answer & Explanation

The correct answer is A: Owners are capable and accountable for the assigned tasks.. Risk and control ownership is only meaningful if the assigned owners have the knowledge, authority, and skills to fulfill their responsibilities and are held accountable for outcomes. An owner who lacks capability cannot effectively manage a risk or control, regardless of their t

Submitted by katya_ua· Apr 18, 2026Information Security Risk Management

Question

Which of the following is the MOST important consideration when assigning risk and control ownership?

Options

AOwners are capable and accountable for the assigned tasks.
BOwners are notified timely of their assigned roles and responsibilities.
COwners are part of the senior management structure.
DOwners are required to take risk management training.

Explanation

Risk and control ownership is only meaningful if the assigned owners have the knowledge, authority, and skills to fulfill their responsibilities and are held accountable for outcomes. An owner who lacks capability cannot effectively manage a risk or control, regardless of their title or training status. Accountability ensures that ownership translates to action and consequence. Option B (timely notification) is important but is a process step, not the defining characteristic of effective ownership. Option C (senior management membership) is not required - ownership should be assigned based on relevance and authority over the asset or process, not organizational rank. Option D (training requirements) supports capability development but does not substitute for it. Capability combined with accountability is the foundation of effective ownership.

Topics

#Risk ownership#Control ownership#Accountability#Capability

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions