Skip to Content

ISACA CISM: Who Decides If a Control Should Change After Risk Is Approved for Mitigation?

By: Author Alex Lim

Posted on

Categories Exam

Learn who has the authority to change a control after risk mitigation is approved. Understand the roles of the risk owner, data owner, control owner, and process owner in the risk management process. Prepare for the ISACA CISM certification exam with this concise explanation.

Table of Contents

Question

Who should decide whether a specific control should be changed once risk is approved for mitigation?

A. Risk owner
B. Data owner
C. Control owner
D. Process owner

Answer

C. Control owner

Explanation

Once a risk has been approved for mitigation, the control owner should decide whether a specific control related to that risk needs to be changed. The control owner is responsible for the ongoing operation, maintenance, and effectiveness of the control. They have the best understanding of how the control functions and what modifications may be required to address the identified risk.

While the risk owner is accountable for ensuring risks are properly treated, the data owner safeguards information assets, and the process owner manages a business process, it is the control owner who has direct oversight of the controls themselves. The control owner needs to assess if existing controls are sufficient after risk mitigation plans are approved, or if control enhancements or updates are necessary.

Therefore, the control owner is in the best position to determine if a control should be changed once risk mitigation is approved, working in coordination with the other roles in the risk management process as needed.

The key points are:

  • The control owner is responsible for the ongoing operation and effectiveness of controls
  • After risk mitigation is approved, the control owner assesses if controls need to change
  • The control owner has the authority to decide if a control should be modified
  • The control owner works with other risk management roles like the risk owner as needed

ISACA CISM certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the ISACA CISM exam and earn ISACA CISM certification.