To effectively manage an organization’s information security risk, it is most important to establish and communicate risk tolerance, which is the level of risk that the organization is willing to accept or bear. By establishing and communicating risk tolerance, the organization can align its risk management strategy and objectives with its business goals and values, and ensure that the risk management activities and decisions are consistent and appropriate across the organization.
[References: The CISM Review Manual 2023 defines risk tolerance as “the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives” and states that “the information security manager should assist the enterprise in establishing and communicating its risk tolerance, and ensure that the risk management process is aligned with the enterprise’s risk tolerance” (p. 94). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this answer: “Establish and communicate risk tolerance is the correct answer because it is the most important factor to effectively manage an organization’s information security risk, as it helps to define the scope, direction, and priorities of the risk management process, and to ensure that the risk management activities and decisions are consistent and appropriate across the organization” (p. 29). Additionally, the article Risk Tolerance: The Forgotten Factor from the ISACA Journal 2019 states that “risk tolerance is the key factor that influences the risk management process and outcomes” and that “risk tolerance should be established and communicated by the organization’s senior management and board of directors, and should reflect the organization’s strategy, culture, and governance” (p. 1)1, , , , , , , , ]
Submit