Certified Information Security Manager (CISM) — Question 1108

Which of the following components of the risk assessment process should be reviewed FIRST to gain an understanding of the scope of an emerging risk within an organization?

Answer options

• A. Risk categorization
• B. Asset identification
• C. Control evaluation
• D. Risk treatment

Correct answer: B

Explanation

The correct answer is B, Asset identification, because it helps to determine what assets are at risk and their importance to the organization. Understanding the assets is crucial before categorizing risks, evaluating controls, or determining treatment options, as the other choices depend on this foundational knowledge.