Instant Access ISACA.CISM.v2026-03-07.q241 Actual Practice Test Engine for Free (Page 9)

Question 36

Which of the following would BEST fulfill a board of directors' request for a concise

A.Business impact analysis
B.Balanced scorecard
C.Risk heat map
D.Risk register

Question 37

An organization's marketing department wants to use an online collaboration service, which is not in compliance with the information security policy, A risk assessment is performed, and risk acceptance is being pursued. Approval of risk acceptance should be provided by:

A.the chief risk officer (CRO).
B.business senior management.
C.the information security manager.
D.the compliance officer.

Correct Answer: B

Risk acceptance is the decision to accept the level of residual risk after applying security controls, and to tolerate the potential impact and consequences of a security incident. Approval of risk acceptance should be provided by business senior management, as they are the owners and accountable parties of the business processes, activities, and assets that are exposed to the risk. Business senior management should also have the authority and responsibility to allocate the resources, personnel, and budget to implement and monitor the risk acceptance decision, and to report and escalate the risk acceptance status to the board of directors or the executive management.
The chief risk officer (CRO) (A) is a senior executive who oversees the organization's risk management function, and provides guidance, direction, and support for the identification, assessment, treatment, and monitoring of risks across the organization. The CRO may be involved in the risk acceptance process, such as by reviewing, endorsing, or advising the risk acceptance decision, but the CRO is not the ultimate approver of risk acceptance, as the CRO is not the owner or accountable party of the business processes, activities, and assets that are exposed to the risk.
The information security manager © is the manager who leads and coordinates the information security function, and provides guidance, direction, and support for the development, implementation, and maintenance of the information security program and activities. The information security manager may be involved in the risk acceptance process, such as by conducting the risk assessment, recommending the risk treatment options, or documenting the risk acceptance decision, but the information security manager is not the ultimate approver of risk acceptance, as the information security manager is not the owner or accountable party of the business processes, activities, and assets that are exposed to the risk.
The compliance officer (D) is the officer who oversees the organization's compliance function, and provides guidance, direction, and support for the identification, assessment, implementation, and monitoring of the compliance requirements and obligations across the organization. The compliance officer may be involved in the risk acceptance process, such as by verifying, validating, or advising the risk acceptance decision, but the compliance officer is not the ultimate approver of risk acceptance, as the compliance officer is not the owner or accountable party of the business processes, activities, and assets that are exposed to the risk.
References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk Treatment, Subsection: Risk Acceptance, page 95-961

Question 38

The purpose of a corrective control is to:

A.reduce adverse events.
B.indicate compromise.
C.mitigate impact.
D.ensure compliance.

Question 39

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

A.meet with stakeholders to decide how to comply.
B.analyze key risks in the compliance process.
C.assess whether existing controls meet the regulation.
D.update the existing security/privacy policy.

Question 40

Which of the following is the MOST effective way to demonstrate alignment of information security strategy with business objectives?

A.Risk matrix
B.Benchmarking
C.Balanced scorecard
D.Heat map

Question 36

Question 37

Question 38

Question 39

Question 40

Download PDF File