What is the PRIMARY purpose of information risk management in an enterprise?

Correct Answer: C
Explanation: Risk management aims to align risk treatment with business goals, ensuring informed decision-making.

Incorrect Options:

• A: Eliminating all risks is unrealistic and not cost-effective.

• B: Compliance is a component, not the primary purpose.

• D: Controls are part of risk treatment, not the overall purpose.

Which of the following BEST describes residual risk?

Correct Answer: B
Explanation: Residual risk is the remaining risk after mitigation strategies have been applied.

Incorrect Options:

• A: Transferred risk is handled by another party, not residual.

• C: Accepted risk may be residual but not always.

• D: Audit findings may reveal risks but don’t define residual risk.

What is the MOST important factor when prioritizing risk treatment options?

Correct Answer: C
Explanation: Risk prioritization is based on the potential impact and likelihood of occurrence.

Incorrect Options:

• A: Cost is important but secondary to risk severity.

• B: Regulations guide treatment but don’t determine priority.

• D: Technical feasibility supports implementation, not prioritization.

Which of the following is the BEST reason to perform a risk assessment regularly?

Correct Answer: C
Explanation: Regular assessments help detect new threats and vulnerabilities affecting the organization.

Incorrect Options:

• A: Audits may require assessments, but that’s not the best reason.

• B: Incident response updates are a result, not a reason.

• D: Budget justification is a benefit, not the primary reason.

Which of the following is the MOST appropriate action when a risk is identified but cannot be mitigated cost-effectively?

Correct Answer: C
Explanation: Accepting risk is valid when mitigation is impractical, provided it’s approved by management.

Incorrect Options:

• A: Ignoring risk is irresponsible and dangerous.

• B: Transferring may not be feasible or cost-effective.

• D: IT may manage controls but cannot approve risk acceptance.

What is the PRIMARY role of a risk register in information risk management?

Correct Answer: C
Explanation: A risk register is a central repository for tracking risks, their status, and treatment plans.

Incorrect Options:

• A: Policies are documented separately.

• B: Compliance issues may be included but are not the focus.

• D: Tools are part of implementation, not risk tracking.

Which of the following BEST supports a risk-based approach to information security?

Correct Answer: C
Explanation: A risk-based approach ensures controls are selected based on assessed risks.

Incorrect Options:

• A: These are generic controls, not necessarily risk-driven.

• B: Pen tests help identify risks but don’t define the approach.

• D: Password policies are important but not risk-based by default.

What is the PRIMARY benefit of integrating risk management into the system development life cycle (SDLC)?

Correct Answer: C
Explanation: Early risk identification in SDLC helps prevent costly fixes and ensures secure design.

Incorrect Options:

• A: Cost reduction may occur but is not the primary benefit.

• B: Security integration may slow deployment initially.

• D: UI design is unrelated to risk management.