Certified Information Security Manager (CISM) — Question 421

Threat and vulnerability assessments are important PRIMARILY because they are:

Answer options

• A. used to establish security investments.
• B. needed to estimate risk.
• C. the basis for setting control objectives.
• D. elements of the organization's security posture.

Correct answer: B

Explanation

The correct answer is B, as threat and vulnerability assessments are fundamentally designed to help organizations identify and quantify risks, which is key for informed decision-making. While options A, C, and D may be consequences or aspects of these assessments, they do not capture the primary purpose, which is risk estimation.