CISM Certified Information Security Manager – Question0392 - CISM Certified Information Security Manager

The MOST important reason for conducting periodic risk assessments is because:

A. risk assessments are not always precise.
B. security risks are subject to frequent change.
C. reviewers can optimize and reduce the cost of controls.
D. it demonstrates to senior management that the security function can add value.

Correct Answer: B

Explanation:

Explanation:
Risks are constantly changing. A previously conducted risk assessment may not include measured risks that have been introduced since the last assessment. Although an assessment can never be perfect and invariably contains some errors, this is not the most important reason for periodic reassessment. The fact that controls can be made more efficient to reduce costs is not sufficient. Finally, risk assessments should not be performed merely to justify the existence of the security function.