Certified in Risk and Information Systems Control (CRISC) — Question 454

Which of the following should be the PRIMARY basis for the development of an IT risk scenario?

Answer options

• A. IT risk registers
• B. IT objectives
• C. IT risk owner input
• D. IT threats and vulnerabilities

Correct answer: D

Explanation

The correct answer is D, as IT threats and vulnerabilities provide the essential context for identifying potential risks that could impact the organization. Options A, B, and C may support risk management but do not directly inform the scenario development like actual threats and vulnerabilities do.