Certified Information Security Manager (CISM) Practice Exam

Including planned but not yet implemented controls in a risk assessment is essential for a comprehensive understanding of an organization's risk landscape. This approach allows an organization to evaluate not only the current state of risks and controls but also to anticipate future risk management capabilities and the potential effectiveness of those planned controls.

By considering planned controls, organizations can identify gaps in their risk management strategy and prioritize actions required to mitigate risks effectively. This foresight can also inform stakeholders and decision-makers about the organization's commitment to strengthening its security posture over time.

Moreover, planned controls can have implications on risk ratings, as they demonstrate a proactive approach to managing potential vulnerabilities before they can be exploited. It’s beneficial to include these controls even if they are not yet in place, because this helps in aligning risk management efforts with organizational goals and resource allocation for future improvements.

In contrast, omitting planned controls from the assessment could lead to an incomplete picture of risk exposure and may hinder effective decision-making regarding resource priorities and risk mitigation strategies.