CompTIA SecurityX (CAS-005) — Question 226

An organization is prioritizing efforts to remediate or mitigate risks identified during the latest assessment. For one of the risks, a full remediation was not possible, but the organization was able to successfully apply mitigations to reduce the likelihood of the impact. Which of the following should the organization perform next?

Answer options

• A. Assess the residual risk.
• B. Update the organization’s threat model.
• C. Move to the next risk in the register.
• D. Recalculate the magnitude of the impact.

Correct answer: A

Explanation

The correct answer is A, as assessing the residual risk is essential to understand what risk remains after mitigation efforts. Updating the threat model (B) and recalculating impact magnitude (D) may be useful, but they should follow the evaluation of residual risk. Moving to the next risk (C) without assessing the current one could overlook important remaining vulnerabilities.