CISM Certified Information Security Manager – Question0014

When a security standard conflicts with a business objective, the situation should be resolved by:

A.
changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance.

Correct Answer: C

Explanation:

Explanation:
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.