CISM Certified Information Security Manager – Question0449

A risk was identified during a risk assessment. The business process owner has chosen to accept the risk because the cost of remediation is greater than the projected cost of a worst-case scenario. What should be the information security manager's NEXT course of action?

A.
Determine a lower-cost approach to remediation.
B. Document and schedule a date to revisit the issue.
C. Shut down the business application.
D. Document and escalate to senior management.

Correct Answer: B