The PRIMARY objective for requiring an independent review of an organizations IT risk management process should be to:
A . ensure IT risk management is focused on mitigating potential risk.
B . confirm that IT risk assessment results are expressed as business impact.
C . assess gaps in IT risk management operations and strategic focus.
D . verify implemented controls to reduce the likelihood of threat materialization.
Answer: C