CISM Exam QuestionsBrowse all questions from this exam

CISM Exam - Question 763


Which of the following is the MOST important criterion when deciding whether to accept residual risk?

Show Answer
Correct Answer: C

When deciding whether to accept residual risk, the most important criterion is the cost of additional mitigation. This criterion helps ensure that the decision is cost-effective and that the benefits of reducing the risk outweigh the expenditures. Even if an asset has a high annual loss expectancy (ALE), the cost-benefit analysis of additional mitigation measures is crucial to determine if accepting the residual risk is practical.

Discussion

11 comments
Sign in to comment
[Removed]Option: C
Aug 3, 2023

According to the Certified Information Security Manager (CISM) Review Manual: "Decisions to accept residual risk should be based on considerations such as the cost-effectiveness of additional mitigation, the criticality of the asset to the enterprise’s mission, the asset’s value and the impact of the asset’s loss." (CISM Review Manual 15th Edition, p. 124)

Souvik124Option: C
Feb 17, 2023

The MOST important criterion when deciding whether to accept residual risk is the cost of additional mitigation. Therefore, the correct answer is option C.

cangurer
Mar 15, 2023

I think B is correct, in order to compare the cost you should know the ALE,

welloOption: B
Jun 15, 2023

even if the risk is equal or greater than the asset value, the annual rate of occurrence matters. so I think B

Bl1024Option: C
Sep 30, 2023

If additional mitigation is too costly and not cost effective enough, you can only accept the risk

SaisharanOption: C
Oct 12, 2023

Cost of Mitigating the Asset so answer would be C

POWNEDOption: B
Jan 26, 2024

Most important is the ALE. You cannot decide to accept the risk if you have not defined the ALE and matched it up to the cost of mitigation.

richck102Option: A
Jul 7, 2023

i vote .....A. Cost of replacing the asset

EvedzyOption: C
Jan 7, 2024

ANSWER C : The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.

AlexJacobsonOption: C
Jan 27, 2024

I'm torn between B and, but leaning more towards C. If additional mitigation is not cost effective and the risk is still deemed too high, then the only other choice would be risk avoidance. But if that isn't possible, the only thing a business can do is accept the residual risk. ALE is important for determining a a potential loss an asset would suffer due to a threat realization over a year. But you can reduce ALE up to a point after which it stops being cost effective.

Marcelus1714Option: C
Feb 10, 2024

Cost of additional mitigation. What if you have a high ALE but the cost of mitigation is even higher. I believe is always how much it cost.

1899f17Option: B
May 27, 2024

B. Annual loss expectancy (ALE)