Certified Information Security Manager (CISM) — Question 180

Deciding the level of protection a particular asset should be given is BEST determined by:

Answer options

• A. the corporate risk appetite.
• B. a risk analysis.
• C. a threat assessment.
• D. a vulnerability assessment.

Correct answer: B

Explanation

A risk analysis is essential because it evaluates the potential risks to an asset and helps determine the appropriate level of protection needed. While the corporate risk appetite, threat assessment, and vulnerability assessment provide useful information, they do not directly quantify the risk to the asset in the same way a risk analysis does.