Certified Information Security Manager (CISM) — Question 1236

When scoping a risk assessment, assets need to be classified by:

Answer options

• A. sensitivity and criticality.
• B. likelihood and impact.
• C. threats and opportunities.
• D. redundancy and recoverability.

Correct answer: A

Explanation

The correct classification of assets for a risk assessment is based on their sensitivity and criticality, which helps prioritize the assets that require the most protection. Likelihood and impact relate to risk evaluation rather than asset classification, while threats and opportunities and redundancy and recoverability do not specifically pertain to asset categorization.