ISC2 Governance, Risk and Compliance (CGRC) Practice Question

An internal audit identifies a low-probability, low-impact vulnerability in a non-critical kiosk application. Correcting it would mean replacing custom hardware that costs more than the kiosk's remaining book value. No regulation requires immediate correction, and compensating monitoring controls are already in place. Which risk response strategy should the information security manager recommend?

Avoid the risk by decommissioning the kiosks immediately.
Transfer the risk by purchasing additional cyber insurance.
Accept the risk and document management's acknowledgement.
Mitigate the risk by installing replacement hardware and software.

Report Issue

Answer Description

Because the vulnerability affects a non-critical system, has a low likelihood and impact, and would cost more to fix than the asset is worth, the most economical course is to formally acknowledge the exposure and take no further action. This is risk acceptance. Transferring, mitigating, or avoiding the risk would all incur unnecessary cost or disrupt business operations without a proportional reduction in risk.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What does it mean to 'accept risk' in risk management?

Open an interactive chat with Bash

What is the role of compensating controls in risk management?

Open an interactive chat with Bash

How do you determine if a risk is low probability and low impact?

Open an interactive chat with Bash

What is risk acceptance in the context of information security?

Open an interactive chat with Bash

What are compensating controls, and how do they manage risk?

Open an interactive chat with Bash

How can organizations assess when to accept a risk versus mitigate it?

Open an interactive chat with Bash

What does risk acceptance mean in this context?

Open an interactive chat with Bash

What are compensating controls and how do they mitigate risks?

Open an interactive chat with Bash

Why is decommissioning the kiosks not recommended in this case?

Open an interactive chat with Bash

ISC2 Governance, Risk and Compliance (CGRC)

Assessment/Audit of Security and Privacy Controls

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot