Certified Information Systems Auditor (CISA) — Question 1230

What is the BEST way to identify unforeseen risk that may impact IT processes?

Answer options

• A. Review metrics and historical incident response reports.
• B. Perform application control self-assessments (CSAs).
• C. Assess IT policies and procedures.
• D. Conduct a threat and vulnerability analysis.

Correct answer: D

Explanation

The correct answer is D because conducting a threat and vulnerability analysis helps identify potential risks that may not be immediately apparent, thus allowing for proactive mitigation. While reviewing metrics and reports, performing CSAs, and assessing policies are useful practices, they do not specifically target the identification of unforeseen risks in the same direct manner as a threat and vulnerability analysis.