An information security manager has completed a risk assessment and has determined the residual risk. Which of the following should be the NEXT step? 

Answer options:

A. Conduct an evaluation of controls
B. Determine if the risk is within the risk appetite
C. Implement countermeasures to mitigate risk
D. Classify all identified risks

B