For the certification it is important to know where you are in the organization and answer the questions from that viewpoint.
You are a risk adviser or a IT security manager, answer all questions with that in mind.
- Governance vs. Management
- Governance – This is C-level Executives (Not you).
- Stakeholder needs, conditions and options are evaluated to define:
- Balanced agreed-upon enterprise objectives to be achieved.
- Setting direction through prioritization and decision making.
- Monitoring performance and compliance against agreed-upon direction and objectives.
- Risk appetite – Aggressive, neutral, adverse.
- Stakeholder needs, conditions and options are evaluated to define:
- Management – How do we get to the destination (This is you).
- Plans, builds, runs and monitors activities in alignment with the direction set by the governance to achieve the objectives.
- Risk tolerance – How are we going to practically work with our risk appetite and our environment.
- Governance – This is C-level Executives (Not you).