CompTIA CySA+ (CS0-002) — Question 406

A company has started planning the implementation of a vulnerability management procedure. However, its security maturity level is low. So there are some prerequisites to complete before risk calculation and prioritization.
Which of the following should be completed FIRST?

Answer options

• A. A business impact analysis
• B. A system assessment
• C. Communication of the risk factors
• D. A risk identification process

Correct answer: B

Explanation

The first step in vulnerability management is to conduct a system assessment, as it helps identify the current state of systems and their vulnerabilities. This foundational knowledge is crucial before moving on to risk calculation and prioritization. The other options, while important, are secondary steps that rely on having a clear understanding of the existing system vulnerabilities.