The department head of application development has decided to accept the risks identified in a recent assessment. No recommendations will be implemented, even though the recommendations are required by regulatory oversight.
What should the information security manager do NEXT?
A . Formally document the decision.
B . Review the risk monitoring plan.
C . Perform a risk reassessment.
D . Implement the recommendations.
Answer: A