The correct answer isBbecause the most effective way to evaluatecontrol implementation processesis to determine whether the controls have reduced risk to a level whereresidual risk is within risk appetite. Control implementation is successful only if it achieves the intended objective of reducing risk to an acceptable level.
The other options are less effective:
A. Engage regular external auditsmay provide assurance, but this is not the most direct way to evaluate implementation effectiveness.
C. Interview users who detect and report issuesmay provide helpful feedback, but it is indirect and subjective.
D. Review trends in the number of exceptionscan indicate possible problems, but exception counts alone do not confirm whether the implemented controls are effectively managing risk.
Exact Extracts supporting the answer:
“Enterprise requirements are key in determining if a risk has been reduced to an acceptable level.”
“The most important criterion when reviewing information security controls is ensuring that the controls are effectively addressing risk.”
“The BEST way to ensure that an information systems control is appropriate and effective is to verify that the risk associated with the control is mitigated.”
“Effective control implementation primarily correlates with the decrease of residual risk as it ' s defined as the remaining risk after management has implemented risk response.”
“The BEST measure of the effectiveness of a new control implemented to mitigate a recurring risk event is a measurable reduction in likelihood impact or both.”
These extracts show that control implementation should be judged by its effect on remaining risk. Therefore, the best evaluation is whetherresidual risk is within risk appetite.
===========
