CISM Certified Information Security Manager – Question0239

After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?

A.
Senior management
B. Business manager
C. IT audit manager
D. Information security officer (ISO)

Correct Answer: B

Explanation:

Explanation:
The business manager will be in the best position, based on the risk assessment and mitigation proposals. to decide which controls should/could be implemented, in line with the business strategy and with budget. Senior management will have to ensure that the business manager has a clear understanding of the risk assessed but in no case will be in a position to decide on specific controls. The IT audit manager will take part in the process to identify threats and vulnerabilities, and to make recommendations for mitigations. The information security officer (ISO) could make some decisions regarding implementation of controls. However, the business manager will have a broader business view and full control over the budget and, therefore, will be in a better position to make strategic decisions.