CISM Certified Information Security Manager – Question0336

Which of the following is the BEST course of action for the information security manager when residual risk is above the acceptable level of risk?

A.
Perform a cost-benefit analysis
B. Recommend additional controls
C. Carry out a risk assessment
D. Defer to business management

Correct Answer: B