Which of the following statements regarding information security risk is NOT correct?

ISO-IEC-27001 Lead Implementer V1 0 Comments

Which of the following statements regarding information security risk is NOT correct?
A . Information security risk is associated with the potential that the vulnerabilities of an information asset may be exploited by threats
B . Information security risk cannot be accepted without being treated or during the process of risk treatment
C . Information security risk can be expressed as the effect of uncertainty on information security objectives

Answer: B

Explanation:

According to ISO/IEC 27001:2022, information security risk can be accepted as one of the four possible options for risk treatment, along with avoiding, modifying, or sharing the risk12. Risk acceptance means that the organization decides to tolerate the level of risk without taking any further action to reduce it3. Risk acceptance can be done before, during, or after the risk treatment process, depending on the organization’s risk criteria and the residual risk level4.

Reference: 1: ISO 27001 Risk Assessments | IT Governance UK 2: ISO 27001 Risk Assessment: 7 Step

Guide – IT Governance UK Blog 3: ISO 27001 Clause 6.1.2 Information security risk assessment

process 4: ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide – Advisera

Latest ISO-IEC-27001 Lead Implementer Dumps Valid Version with 50 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download ISO-IEC-27001 Lead Implementer PDF     ISO-IEC-27001 Lead Implementer Questions Online Training
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments