The decision as to whether a risk has been reduced to an acceptable level should be determined by:
A . organizational requirements.
B . information systems requirements.
C . information security requirements.
D . international standards.
Answer: A
Explanation:
Organizational requirements should determine when a risk has been reduced to an acceptable level. Information systems and information security should not make the ultimate determination. Since each organization is unique, international standards of best practice do not represent the best solution.