Certified Information Systems Auditor (CISA) — Question 132

Which of the following should be identified FIRST during the risk assessment process?

Answer options

• A. Vulnerability
• B. Existing controls
• C. Legal requirements
• D. Information assets

Correct answer: D

Explanation

Identifying information assets is crucial as it establishes what needs to be protected before assessing vulnerabilities, existing controls, or legal requirements. Without knowing what assets are at risk, it's challenging to evaluate the effectiveness of controls or compliance with legal necessities. The other options are secondary and should be assessed after information assets are identified.