CISM Certified Information Security Manager – Question0014 - CISM Certified Information Security Manager

When a security standard conflicts with a business objective, the situation should be resolved by:

A. changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance.

Correct Answer: C

Explanation:

Explanation:
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.