Determining Risk ToleranceAcceptable levels of information security risk tolerance are a strategic decision that must align with the organization’s overall risk appetite and business objectives.
The CEO and board of directors are responsible for setting the overall risk tolerance and ensuring it aligns with the organization's goals and compliance requirements.
Role of Other Entities
Corporate legal counsel: Provides legal guidance but does not set risk tolerance levels.
CISO with reference to company goals: Advises on technical risks and mitigations but does not make final decisions on risk tolerance.
Corporate compliance committee: Ensures adherence to regulatory requirements but doesn’t determine organizational risk levels.
EC-Council References
EC-Council stresses the importance of executive-level involvement in establishing risk tolerance as part of governance and risk management frameworks.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit