CISM Certified Information Security Manager – Question0329

When the inherent risk of a business activity is lower than the acceptable risk level, the BEST course of action would be to:

A.
monitor for business changes
B. review the residual risk level
C. report compliance to management
D. implement controls to mitigate the risk

Correct Answer: B