If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:

December 16, 2021 by Admin

If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:

  • transfer risk to a third party to avoid cost of impact
  • implement controls to mitigate the risk to an acceptable level
  • recommend that management avoids the business activity
  • assess the gap between current and acceptable level of risk

Leave a Reply