Certified in Risk and Information Systems Control (CRISC) — Question 1216

Which of the following should be a risk practitioner's PRIMARY consideration when evaluating the possible impact of an adverse event affecting corporate information assets?

Answer options

• A. Authentication and authorization requirements for personnel accessing the assets
• B. Potential regulatory fines as a result of the adverse event
• C. The amount of data processed by the assets
• D. Criticality classification of the assets needed for normal business operations

Correct answer: D

Explanation

The criticality classification of assets is essential because it determines how vital those assets are to business continuity and operations. While authentication, regulatory fines, and data volume are important, they do not directly address the impact on business operations like the criticality classification does.