An organization has a high residual risk after implementing all feasible controls. According to CISM best practices, which of the following should the information security manager do? (Select TWO.)
Why this answer
When residual risk remains high after all feasible controls are implemented, the information security manager should escalate the risk to senior management for formal risk acceptance (Option A). This aligns with CISM best practices, as senior management holds the authority to accept risks that exceed the organization's risk appetite. Additionally, implementing compensating controls (Option C) can further reduce residual risk to an acceptable level, even if primary controls are already in place.
Exam trap
The trap here is that candidates confuse 'documenting and accepting' (Option B) as sufficient, overlooking the CISM requirement that risk acceptance must be formally escalated to and approved by senior management, not just recorded by the security manager.
Why the other options are wrong
Documentation alone is not sufficient; escalation is needed for high residual risk.
A new assessment may be done later, but the immediate action is to escalate and consider additional controls.