Domain 2: Information Security Risk Management Review — 17 of 47

Section B Review: Information Security Risk Response

CISM Domain 2 — Information Security Risk Management Section B Review 10 scenario questions

This section integrates:

  • Risk Treatment / Risk Response Options
  • Risk and Control Ownership
  • Risk Monitoring and Reporting

CISM tests whether you make proportional, governance-aligned risk decisions.

1. Risk Response Must Align With Risk Appetite

The four response options:

  • Avoid
  • Mitigate
  • Transfer
  • Accept

Are not equal. Correct selection depends on:

  • Residual risk level
  • Cost-benefit analysis
  • Strategic objectives
  • Risk tolerance

If residual risk exceeds appetite, it must be further mitigated or formally escalated.

Security does not unilaterally accept enterprise risk.

2. Risk Ownership Belongs to the Business

Security:

  • Identifies risk
  • Assesses risk
  • Advises on treatment
  • Monitors exposure

The business risk owner:

  • Approves mitigation
  • Accepts residual risk
  • Allocates funding
  • Aligns decision with strategy

Unclear ownership = unmanaged risk.

3. Monitoring Validates Risk Decisions

Risk acceptance is not permanent.

Monitoring must:

  • Track residual risk trends
  • Identify threshold breaches
  • Detect control degradation
  • Trigger reassessment when exposure changes

Escalation must follow governance process.

4. Reporting Must Match the Audience

Board-level:

  • Strategic risk posture
  • Trend visibility
  • Appetite alignment

Operational:

  • Control performance
  • Tactical metrics
  • Incident rates

Technical detail without business context is a governance failure.

Section B Decision Pattern

When unsure:

  1. Compare residual risk to appetite.
  2. Confirm risk owner authority.
  3. Ensure documentation.
  4. Validate cost-benefit logic.
  5. Escalate when thresholds are exceeded.

If an answer skips documentation or ownership — it is likely wrong.

Section B — Practice Questions

Question 1

Residual risk remains above defined tolerance after mitigation.

What should occur NEXT?

A. Informally accept the risk
B. Escalate to appropriate risk owner for formal decision
C. Ignore the excess exposure
D. Shut down the system

Answer & reasoning

Correct: B

Risk exceeding appetite requires formal escalation and documented decision.

Question 2

A mitigation control costs more than the potential financial loss associated with the risk.

What is the MOST appropriate response?

A. Implement the control anyway
B. Conduct cost-benefit analysis and consider formal acceptance
C. Avoid the activity entirely
D. Transfer the risk without analysis

Answer & reasoning

Correct: B

Risk treatment must be economically rational and aligned with governance.

Question 3

A business unit accepts a security risk without documenting approval.

What is the PRIMARY governance weakness?

A. Encryption gap
B. Control failure
C. Vendor mismanagement
D. Lack of formal risk acceptance documentation

Answer & reasoning

Correct: D

Formal documentation ensures accountability and audit traceability.

Question 4

A key control owner leaves the organization. No replacement is assigned.

What is the MOST significant risk?

A. Reduced automation
B. Increased encryption
C. Vendor inefficiency
D. Unmonitored control effectiveness

Answer & reasoning

Correct: D

Controls without ownership degrade in effectiveness.

Question 5

A risk was accepted last year. Monitoring shows increased threat activity affecting the same exposure.

What should be done FIRST?

A. Reassess residual risk and escalate if needed
B. Maintain prior acceptance
C. Automatically mitigate
D. Remove from risk register

Answer & reasoning

Correct: A

Risk acceptance must be revisited when exposure changes.

Question 6

A cyber insurance policy is purchased to reduce potential financial impact of a breach.

What risk response strategy is primarily used?

A. Avoidance
B. Mitigation
C. Transfer
D. Acceptance

Answer & reasoning

Correct: C

Insurance transfers financial risk but does not eliminate exposure.

Question 7

The board receives monthly vulnerability counts but no trend or business context.

What is the MOST significant reporting gap?

A. Insufficient scanning
B. Reduced automation
C. Lack of risk-aligned reporting
D. Vendor inefficiency

Answer & reasoning

Correct: C

Board reporting must reflect enterprise risk posture, not technical metrics.

Question 8

A mitigation plan reduces risk to within appetite but significantly delays a strategic initiative.

What is the MOST appropriate approach?

A. Eliminate the initiative
B. Reevaluate cost-benefit alignment with business objectives
C. Increase monitoring
D. Transfer the risk

Answer & reasoning

Correct: B

Risk response must balance security with strategic objectives.

Question 9

Risk monitoring identifies increasing control failure rates but no current impact.

What should occur FIRST?

A. Conduct root cause analysis and reassess residual risk
B. Ignore the trend
C. Escalate to regulators
D. Shut down affected systems

Answer & reasoning

Correct: A

Monitoring triggers analysis before escalation.

Question 10

Security attempts to accept risk on behalf of a business unit.

What is the PRIMARY governance issue?

A. Improper authority alignment
B. Encryption weakness
C. Vendor mismanagement
D. Excessive monitoring

Answer & reasoning

Correct: A

Risk acceptance authority belongs to designated business risk owners.

Section B Pattern Summary

In Domain 2 Section B:

  • Risk response must align with appetite.
  • The business owns the risk.
  • Security advises and monitors.
  • Documentation is mandatory.
  • Monitoring validates decisions.
  • Escalation enforces governance.

CISM rewards structured judgment over emotional reaction.

Up Next Capstone Review: INFORMATION SECURITY RISK MANAGEMENT