Exam4Training

Which of the following statements regarding information security risk is NOT correct?

Which of the following statements regarding information security risk is NOT correct?
A . Information security risk is associated with the potential that the vulnerabilities of an information asset may be exploited by threats
B . Information security risk cannot be accepted without being treated or during the process of risk treatment
C . Information security risk can be expressed as the effect of uncertainty on information security objectives

Answer: B

Explanation:

According to ISO/IEC 27001:2022, information security risk can be accepted as one of the four possible options for risk treatment, along with avoiding, modifying, or sharing the risk12. Risk acceptance means that the organization decides to tolerate the level of risk without taking any further action to reduce it3. Risk acceptance can be done before, during, or after the risk treatment process, depending on the organization’s risk criteria and the residual risk level4.

Reference: 1: ISO 27001 Risk Assessments | IT Governance UK 2: ISO 27001 Risk Assessment: 7 Step

Guide – IT Governance UK Blog 3: ISO 27001 Clause 6.1.2 Information security risk assessment

process 4: ISO 27001 Risk Assessment & Risk Treatment: The Complete Guide – Advisera

Exit mobile version