CISM Certified Information Security Manager – Question0310 - CISM Certified Information Security Manager

All risk management activities are PRIMARILY designed to reduce impacts to:

A. a level defined by the security manager.
B. an acceptable level based on organizational risk tolerance.
C. a minimum level consistent with regulatory requirements.
D. the minimum level possible.

Correct Answer: B

Explanation:

Explanation:
The aim of risk management is to reduce impacts to an acceptable level. “Acceptable” or “reasonable” are relative terms that can vary based on environment and circumstances. A minimum level that is consistent with regulatory requirements may not be consistent with business objectives, and regulators typically do not assign risk levels. The minimum level possible may not be aligned with business requirements.