Understanding Residual Risk:
Residual riskis the amount of risk remainingafter controls and mitigations have been applied.
Risk appetitedefines the level of risk an organization iswilling to acceptbefore taking additional actions.
Why Option D is Correct:
TheCIO must clarify the organization’s "Risk Appetite"to determinehow much residual risk is acceptable.
If risk exceeds the appetite,additional security measuresneed to be implemented.
This aligns withISO 31000andNIST Risk Management Framework (RMF).
Why Other Options Are Incorrect:
A (Mitigation):Mitigationrefers toreducing risk, but it doesn’t define the acceptable level of residual risk.
B (Impact):Impact assessment measurespotential damage, but it does not determine what is acceptable.
C (Likelihood):Likelihood is theprobability of risk occurring, but not what level isacceptable.
[Reference:, CompTIA SecurityX CAS-005 Official Study Guide:Risk Management & Business Continuity, NIST SP 800-37:Risk Management Framework, ISO 27005:Risk Tolerance & Acceptance, , , ]
