CISM Certified Information Security Manager – Question0311

After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?

A. Information security officer
B. Chief information officer (CIO)
C. Business owner
D. Chief executive officer (CFO)

Correct Answer: C

Explanation:

Explanation: The business owner of the application needs to understand and accept the residual application risks.