If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST: 

Answer options:

A. implement controls to mitigate the risk to an acceptable level.
B. recommend that management avoids the business activity.
C. assess the gap between current and acceptable level of risk.
D. transfer risk to a third party to avoid cost of impact.

C