CISM Certified Information Security Manager – Question1001

Exceptions to a security policy should be approved based PRIMARILY on:

A.
risk appetite.
B. the external threat probability.
C. results of a business impact analysis (BIA).
D. the number of security incidents.

Correct Answer: C