Following an information security risk assessment of a critical system, several significant issues have been identified. Which of the following is MOST important for the information security manager to confirm?
A.
The risks are entered in the organization's risk register.
B.
The risks are reported to the business unit's senior management.
C.
The risks are escalated to the IT department for remediation.
D.
The risks are communicated to the central risk function.
Entering identified risks into the organization's risk register ensures that they are documented, tracked, assigned, and addressed. Without recording in the risk register, there’s no formal mechanism to manage, treat, or monitor the risk.
“The risk register is the central repository for tracking all known risks, their status, and treatment plans.”
— CISM Review Manual 15th Edition, Chapter 2: Information Risk Management, Section: Risk Response and Risk Register*
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit