The decision as to whether a risk has been reduced to an acceptable level should be determined by:
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Organizational requirements should determine when a risk has been reduced to an acceptable level.
Information systems and information security should not make the ultimate determination.
Since each organization is unique, international standards of best practice do not represent the best solution.
The decision as to whether a risk has been reduced to an acceptable level is a critical step in the risk management process. Risk management is the process of identifying, assessing, and controlling risks to an organization's operations, assets, and individuals.
To determine whether a risk has been reduced to an acceptable level, the decision should be based on the organization's requirements. The organization should define its risk appetite, which is the amount of risk it is willing to accept in pursuit of its objectives. The risk appetite should be based on the organization's mission, values, and overall strategy.
The decision should also be based on information security requirements. These requirements should be defined based on the organization's information security policy, which outlines the organization's objectives for information security and the controls that are necessary to achieve these objectives. The information security policy should be based on the organization's risk appetite, legal and regulatory requirements, and industry best practices.
The decision may also be influenced by information systems requirements. These requirements should be based on the organization's objectives for its information systems, such as availability, confidentiality, and integrity. The requirements should also take into account the organization's risk appetite and the risks associated with its information systems.
Finally, international standards may provide guidance on risk management and the determination of acceptable risk levels. Organizations may choose to adopt these standards as a best practice or as a requirement to comply with legal and regulatory requirements.
In summary, the decision as to whether a risk has been reduced to an acceptable level should be determined by the organization's requirements, including its risk appetite, information security requirements, and information systems requirements. International standards may also provide guidance on risk management and acceptable risk levels.