Certified in Risk and Information Systems Control (CRISC) — Question 475

Which of the following is the MOST relevant input to an organization's risk profile?

Answer options

• A. External audit's risk assessment
• B. Management's risk self-assessment
• C. Internal audit's risk assessment
• D. Information security's vulnerability assessment

Correct answer: B

Explanation

Management's risk self-assessment is crucial as it reflects the organization's internal perspective on risks, aligning with its strategic objectives. In contrast, external and internal audits provide useful insights but may not fully capture the operational realities and priorities that management perceives. The information security's vulnerability assessment, while important for identifying specific threats, does not encompass the broader risk profile of the organization.