Certified in Risk and Information Systems Control (CRISC) — Question 171

Which of the following MUST be updated to maintain an IT risk register?

Answer options

• A. Risk appetite
• B. Risk tolerance
• C. Expected frequency and potential impact
• D. Enterprise-wide IT risk assessment

Correct answer: C

Explanation

The correct answer is C, as the expected frequency and potential impact of risks are crucial metrics that need regular updates to accurately reflect the current risk landscape. Options A and B, while important for overall risk management, do not specifically relate to the ongoing details required in a risk register. Option D pertains to a broader assessment and does not directly involve the specific updates needed for the risk register itself.