Certified Information Systems Auditor (CISA) — Question 855

As part of the risk management process, threats and vulnerabilities should be mapped to:

Answer options

• A. existing controls.
• B. information assets.
• C. business objectives.
• D. key performance indicators (KPIs).

Correct answer: B

Explanation

The correct answer is B, as threats and vulnerabilities must be linked to information assets to effectively assess the risk they pose. While existing controls, business objectives, and KPIs are important in risk management, they do not directly relate to the mapping of threats and vulnerabilities.