Exceptions to a security policy should be approved based PRIMARILY on:

A. risk appetite

B. the external threat probability.

C. results of a business impact analysis (BIA).

D. the number of security incidents.

Correct Answer: A????? or C???????

______________________

Note

The official answer (could be incorrect because NO comes from ISACA!) is: "C. results of a business impact analysis (BIA)".

Other experts claim that the correct answer is: "A. risk appetite".

Your expert opinion (and explanation) is strongly requested. Many thanks in advance.