Level of residual risk is the amount of risk that remains after applying risk treatment options, such as avoidance, mitigation, transfer, or acceptance. The information security manager should compare the level of residual risk with the organization’s risk appetite, which is the amount of risk that the organization is willing to accept in pursuit of its objectives. The comparison will help to determine whether the risk treatment options are sufficient, excessive, or inadequate, and whether further actions are needed to align the risk level with the risk appetite.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 49: “Residual risk is the risk that remains after risk treatment.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 43: “Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of value.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 50: “The information security manager should compare the residual risk with the risk appetite and determine whether the risk treatment options are sufficient, excessive, or inadequate.”
Submit