Certified in Risk and Information Systems Control (CRISC) — Question 335

When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

Answer options

• A. security policies.
• B. process maps.
• C. risk tolerance level,
• D. risk appetite.

Correct answer: A

Explanation

The correct answer is A, as security policies establish the foundational guidelines for managing risks in IT. Options B, C, and D are important but are secondary considerations that come after understanding the security policies in place.