Which of the following statements regarding information security risk is NOT correct?
Which of the following statements regarding information security risk is NOT correct?
The incorrect statement is: B. Information security risk cannot be accepted without being treated or during the process of risk treatment This statement is NOT correct because according to ISO 27001, risk acceptance is one of the possible risk treatment options. Organizations may accept certain risks if the cost of mitigation is higher than the potential impact of the risk or if the risk is deemed to be at an acceptable level. Therefore, information security risks can be accepted without being treated, as part of the risk treatment process.
The answer here is B. This refers to page 77 in the PECB documents See See ISO27000 clause 3.62 risk acceptance Note 1. Risk acceptance can occur without risk treatment