Certified in Risk and Information Systems Control (CRISC) — Question 1271

Which of the following should be the starting point when performing a risk analysis for an asset?

Answer options

• A. Assess controls.
• B. Assess risk scenarios.
• C. Evaluate threats.
• D. Update the risk register.

Correct answer: C

Explanation

The correct answer is C, as identifying and evaluating potential threats is foundational to understanding the risks associated with an asset. Options A, B, and D are subsequent steps that rely on the initial identification of threats to accurately assess controls, risk scenarios, and to update the risk register.