Question 190
Main Page
A key risk treatment was not implemented. What’s the CISO’s responsibility?
A. Ignore and move on
B. Document the deviation and escalate to risk committee
C. Remove it from the risk register
D. Cancel the mitigation plan
Answer: Document the deviation and escalate to risk committee
Failure to implement treatment must be escalated to governing bodies for risk acceptance or alternate action.