CISM Certified Information Security Manager – Question0314 - CISM Certified Information Security Manager

Previously accepted risk should be:

A. re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
B. accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
C. avoided next time since risk avoidance provides the best protection to the company.
D. removed from the risk log once it is accepted.

Correct Answer: A

Explanation:

Explanation:
Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to change(s) and. hence, risk cannot be accepted permanently. Risk is an inherent part of business and it is impractical and costly to eliminate all risk. Even risks that have been accepted should be monitored for changing conditions that could alter the original decision.