The appropriateness of an information security control is measured by its ability to reduce risk to a level that is acceptable to the organization. This acceptable level of risk is formally defined by the organization's risk appetite. Without a clearly defined risk appetite, the information security manager lacks an objective benchmark to determine if the residual risk (the risk remaining after a control is applied) is tolerable. Therefore, risk appetite is the most fundamental and mandatory prerequisite for evaluating whether existing controls are sufficient, excessive, or inadequate.

A. Security policy provides high-level guidance and intent but does not define the specific, quantifiable level of acceptable risk needed for evaluation.

B. A risk management framework defines the process and structure for managing risk, not the organization's specific tolerance for risk.

D. Security standards dictate mandatory requirements for implementing controls, but the standards themselves should be derived from and aligned with the organization's risk appetite.

1. ISACA

CISM Review Manual

16th Edition. Domain 2: Information Risk Management

Section 2.2.3

page 91. The manual states

"Risk appetite is the amount of risk an entity is willing to accept in pursuit of its mission... It is a guidepost in setting strategy and selecting objectives." This establishes risk appetite as the primary benchmark against which security efforts

including control appropriateness

are measured.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives. EDM03 Ensure Risk Optimization

page 35. This governance objective includes the key practice EDM03.01

which is to "Evaluate risk management." A key activity is to "Continually... verify that the enterprise’s risk appetite and tolerance are defined..." This confirms that defining risk appetite is a foundational governance activity necessary for evaluating the entire risk management process

which includes the controls within it.

3. Fung

H. P. (2014). Information Security Governance: A Sub-Framework of Corporate Governance. In IT Governance: An International Perspective (pp. 11-22). Emerald Group Publishing Limited. This academic text on IT governance emphasizes that the board's responsibility includes setting the risk appetite

which then "guides management in the implementation of risk management practices

" including the selection and evaluation of controls. This establishes the hierarchical importance of risk appetite.