The decision as to whether a risk has been reduced to an acceptable level should be determined
by:

A.
organizational requirements.

B.
information systems requirements.

C.
information security requirements.

D.
international standards.

Explanation:

Organizational requirements should determine when a risk has been reduced to an acceptable
level. Information systems and information security should not make the ultimate determination.
Since each organization is unique, international standards of best practice do not represent the
best solution.