CISM Question #704: Real Exam Question with Answer & Explanation

Question

Following an information security risk assessment of a critical system, several significant issues have been identified. Which of the following is MOST important for the information security manager to confirm?

Options

• AThe risks are reported to the business unit's senior management.
• BThe risks are escalated to the IT department for remediation.
• CThe risks are communicated to the central risk function.
• DThe risks are entered in the organization's risk register.

Explanation

Reporting significant risks to the business unit's senior management is most critical because they are the risk owners - they have the authority and accountability to make decisions about accepting, mitigating, or transferring those risks. An information security manager's primary obligation after a risk assessment is ensuring that the right decision-makers are informed so they can act.

Why the distractors fall short:

• B is wrong because escalating to IT treats risk as a purely technical problem, bypassing the business owners who must ultimately decide how to respond and fund remediation.
• C is wrong because communicating to a central risk function is a secondary/administrative step - useful for coordination, but it doesn't ensure the people accountable for the system are aware.
• D is wrong for the same reason as C: entering risks in a register is good practice and necessary, but it's a documentation activity, not a decision-enabling one. A risk sitting in a register without management awareness changes nothing.

Memory tip: Think of the information security manager as a messenger to power - their job isn't to fix the risk themselves or hand it off to IT, but to get it in front of whoever has the budget and authority to act. When in doubt, ask: "Who owns this risk?" - that's almost always senior business management, not a department or a database.

No community discussion yet for this question.