CISM Certified Information Security Manager – Question0372

After assessing risk, the decision to treat the risk should be based PRIMARILY on:

A.
availability of financial resources.
B. whether the level of risk exceeds risk appetite.
C. whether the level of risk exceeds inherent risk.
D. the criticality of the risk.

Correct Answer: B