CRISC Certified in Risk and Information Systems Control – Question021

An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.

A.
Information security managers
B. Internal auditors
C. Incident response team members
D. Business managers

Correct Answer: D

Explanation:

Explanation: Business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others.
Incorrect Answers:
A: Information security managers may best understand the technical tactical situation, but business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others, which includes collaboration with, and support from, lT security managers.
C: The incident response team must ensure open communication to management and stakeholders to ensure that business managers understand the associated risk and are provided enough information to make informed risk-based decisions. They are not responsible for reviewing risk response options.