Certified Information Security Manager (CISM) — Question 275

Which of the following is necessary to determine what would constitute a disaster for an organization?

Answer options

• A. Recovery strategy analysis
• B. Backup strategy analysis
• C. Risk analysis
• D. Threat probability analysis

Correct answer: C

Explanation

The correct answer is C, as risk analysis helps organizations identify potential threats and vulnerabilities that could lead to disasters. Options A and B focus on recovery and backup strategies, which are important but do not assess the risks themselves. Option D deals with the likelihood of threats but does not encompass the broader scope of risk analysis.