CISM Certified Information Security Manager – Question0311 - CISM Certified Information Security Manager

After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?

A. Information security officer
B. Chief information officer (CIO)
C. Business owner
D. Chief executive officer (CFO)

Correct Answer: C

Explanation:

Explanation: The business owner of the application needs to understand and accept the residual application risks.