An information security manager has been asked to determine whether an information security initiative has reduced risk to an acceptable level.
Which of the following activities would provide the BEST information for the information security manager to draw a conclusion?
A . Initiating a cost-benefit analysis of the implemented controls
B . Reviewing the risk register
C . Conducting a business impact analysis (BIA)
D . Performing a risk assessment
Answer: D