CISM Certified Information Security Manager – Question0296 - CISM Certified Information Security Manager

An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:

A. eliminating the risk.
B. transferring the risk.
C. mitigating the risk.
D. accepting the risk.

Correct Answer: C

Explanation:

Explanation:
Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance so the insurance company can take the risk. Implementing additional controls is an example of mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.