which mitigating controls should be implemented?

After completing a full IT risk assessment, who can BEST decide which mitigating controls should
be implemented?

After completing a full IT risk assessment, who can BEST decide which mitigating controls should
be implemented?

A.
Senior management

B.
Business manager

C.
IT audit manager

D.
Information security officer (ISO)

Explanation:

The business manager will be in the best position, based on the risk assessment and mitigation
proposals. to decide which controls should/could be implemented, in line with the business
strategy and with budget. Senior management will have to ensure that the business manager has
a clear understanding of the risk assessed but in no case will be in a position to decide on specific
controls. The IT audit manager will take part in the process to identify threats and vulnerabilities,
and to make recommendations for mitigations. The information security officer (ISO) could make
some decisions regarding implementation of controls. However, the business manager will have a
broader business view and full control over the budget and, therefore, will be in a better position to
make strategic decisions.



Leave a Reply 0

Your email address will not be published. Required fields are marked *