CISA Certified Information Systems Auditor – Question0476

If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:

A.
transfer risk to a third party to avoid cost of impact
B. implement controls to mitigate the risk to an acceptable level
C. recommend that management avoids the business activity
D. assess the gap between current and acceptable level of risk

Correct Answer: D