nerdexam
(ISC)2

CISSP · Question #479

When can a security program be considered effective?

The correct answer is C. Risk is lowered to an acceptable level.. A security program can be considered effective when it lowers the risk to an acceptable level, meaning that the residual risk after implementing security controls is within the risk appetite and tolerance of the organization. Risk is the likelihood and impact of a threat exploiti

Submitted by thandi_sa· Mar 5, 2026Security and Risk Management

Question

When can a security program be considered effective?

Options

  • AAudits are rec/party performed and reviewed.
  • BVulnerabilities are proactively identified.
  • CRisk is lowered to an acceptable level.
  • DBadges are regulatory performed and validated

How the community answered

(15 responses)
  • A
    7% (1)
  • B
    13% (2)
  • C
    73% (11)
  • D
    7% (1)

Explanation

A security program can be considered effective when it lowers the risk to an acceptable level, meaning that the residual risk after implementing security controls is within the risk appetite and tolerance of the organization. Risk is the likelihood and impact of a threat exploiting a vulnerability, and risk management is the process of identifying, assessing, treating, and monitoring risk. A security program should align with the business objectives and strategy, and provide a framework for implementing, operating, and improving security controls that mitigate

Topics

#security program management#risk management#security effectiveness#acceptable risk

Community Discussion

No community discussion yet for this question.

Full CISSP Practice