A risk has been formally accepted and documented. Which of the following is the MOST important action for an information security manager?
- A. Update risk tolerance levels.
- B. Notify senior management and the board.
- C. Monitor the environment for changes.
- D. Re-evaluate the organization?€™s risk appetite.
My opinion: Since the risk is “formally accepted and documented” – which means the risk assessment is completely done, hence A and B is no longer valid, but leave me with C and D. I have tendency to choose C (since nothing else an IS manager can do at this juncture) but some portal answered it is D. I need help to understand why D can be a valid choice and what is the expert answer?