It is MOST important for an information security manager to ensure that security risk assessments are performed:
A. consistently throughout the enterprise
B. during a root cause analysis
C. as part of the security business case
D. in response to the threat landscape
Reference https://m.isaca.org/Certification/Additional-Resources/Documents/CISM-Item-Development-Guide_bro_Eng_0117.pdf (14)