Domain 2: Information Security Risk Management Module 11 of 47

Module 11: Risk and Control Ownership

CISM Domain 2 — Information Security Risk Management Section B 9–11 min read

What the Exam Is Really Testing

Every question on this topic comes down to one idea:

Risk must be owned by the business — not by the security function.

And:

Controls must have clearly defined accountability to be effective.

The exam evaluates whether you:

  • Assign responsibility appropriately
  • Escalate to correct authority
  • Avoid assuming ownership improperly
  • Understand separation between advisory and decision roles
  • Ensure formal documentation

Security advises. Risk owners decide.

The Executive Mindset Shift

The practitioner view:

Security owns the risk.

The governance view:

The business activity owner owns the risk. Security provides guidance.

If a system generates revenue, supports operations, or enables strategy: the business unit benefiting from it owns the risk.

Security is accountable for:

  • Advising
  • Assessing
  • Reporting
  • Monitoring

But not accepting risk unilaterally.

Role Distinctions (Critical for the Exam)

Risk Owner

The individual accountable for:

  • Accepting or rejecting risk
  • Funding mitigation
  • Aligning risk with business objectives

Usually: business executive, process owner, or system owner.

Not typically: security manager alone.

Control Owner

Responsible for:

  • Designing the control
  • Implementing the control
  • Operating the control
  • Monitoring effectiveness

Often within IT or operational teams.

Security Function

Responsible for:

  • Risk identification
  • Risk analysis
  • Advisory guidance
  • Reporting
  • Escalation

Security does NOT:

  • Accept risk without authorization
  • Own business decisions

Governance Principles

  1. Risk ownership must align with business accountability.
  2. Control ownership must be clearly documented.
  3. Risk acceptance requires authorized approval.
  4. Unassigned risk is unmanaged risk.
  5. Escalation paths must be defined.

CISM frequently tests improper assignment of responsibility.

Pattern Recognition

When ownership appears in a scenario, ask:

  1. Who benefits from the activity?
  2. Who has authority to allocate resources?
  3. Who can formally accept risk?
  4. Is ownership documented?
  5. Is escalation appropriate?

Correct answers often involve:

  • Assigning risk to business owner
  • Defining control accountability
  • Escalating when acceptance exceeds authority
  • Formal documentation

Not:

  • Security accepting risk alone
  • IT operations accepting enterprise risk
  • Ignoring unclear ownership
  • Assigning accountability without authority

Trap Pattern

Common wrong instincts:

  • “Security owns all risk.”
  • “IT owns business risk.”
  • “Risk acceptance doesn’t require documentation.”
  • “Control owners automatically own the risk.”

CISM prioritizes accountability alignment.

Scenario Practice

Question 1

A business unit wants to accept a security risk to meet a market deadline. The security manager disagrees.

Who has final authority to accept the risk?

A. Security manager
B. IT operations
C. Designated business risk owner
D. External auditor

Answer & reasoning

Correct: C

Risk acceptance authority resides with the business owner responsible for the activity.

Question 2

A critical control fails repeatedly. No formal owner is assigned.

What is the PRIMARY governance issue?

A. Encryption weakness
B. Insufficient scanning
C. Lack of documented control ownership
D. Vendor delay

Answer & reasoning

Correct: C

Undefined control ownership leads to unresolved deficiencies.

Question 3

Residual risk remains above acceptable levels after mitigation. The business unit manager approves acceptance without executive authorization.

What is the MOST appropriate response?

A. Escalate to appropriate authority per governance process
B. Ignore the acceptance
C. Document acceptance without escalation
D. Shut down the system

Answer & reasoning

Correct: A

Risk acceptance must follow defined governance authority.

Question 4

Security identifies a high-risk issue in a revenue-generating system. The system owner requests additional time for mitigation.

What should the security manager do?

A. Accept the risk independently
B. Document residual risk and ensure risk owner decision is recorded
C. Shut down the system immediately
D. Ignore the request

Answer & reasoning

Correct: B

Security advises and documents. The risk owner decides.

Question 5

A security control is implemented but not actively monitored.

Who is accountable for ensuring effectiveness?

A. Control owner
B. Risk owner
C. External auditor
D. Regulator

Answer & reasoning

Correct: A

Control owners are responsible for operational effectiveness.

Key Takeaway

In CISM:

The business owns the risk. The control owner operates mitigation. Security advises and escalates.

When ownership questions appear:

  • Align accountability with authority.
  • Ensure formal documentation.
  • Escalate when needed.
  • Avoid assuming responsibility improperly.

The exam draws a sharp line between advising on risk and owning it.

Related Modules

CISM Domain 2 — Information Security Risk Management Risk Treatment / Risk Response Options CRISC Domain 3 — Risk Response and Reporting Risk and Control Ownership
Next Module Module 12: Risk Monitoring and Reporting