Free ISACA CISM Actual Exam Questions - Question 12 Discussion

A vs C? Insurance transfers risk rather than reducing it, so that’s not mitigation. Stopping the activity (B) is more about avoidance. The core of mitigation is controlling or lessening the risk, which fits improving security controls (C) perfectly, so definitely C here.

It’s C because mitigation means reducing risk, not avoiding it. Improving security controls lowers the chance or impact, which fits perfectly, unlike B which is straight-up avoidance.

C. Improving security controls actively reduces the chance or impact of a risk, which fits the definition of mitigation better than just transferring or avoiding risk.

Maybe C is the best pick since improving security actually lowers the chance or impact of risk. Insurance (A) just moves the risk to someone else, so that’s transfer, not mitigation.

C imo. Mitigation is about reducing the chance or impact of a risk, not just shifting it somewhere else. Insurance (A) is more about transferring risk, and stopping the activity (B) is avoidance, not mitigation. C fits because improving security controls actively lowers the risk. D is just analysis, not action.

It’s C because improving controls actually reduces the risk itself, unlike just transferring it.

What’s the difference here between mitigation and avoidance? Discontinuing sounds like avoidance so it might not fit. But does buying insurance count as lowering risk or just transferring it? Just wanna make sure I’m not mixing terms up before picking C or A.