Certified in Risk and Information Systems Control (CRISC) — Question 62

How residual risk can be determined?

Answer options

• A. By determining remaining vulnerabilities after countermeasures are in place.
• B. By transferring all risks.
• C. By threat analysis
• D. By risk assessment

Correct answer: A

Explanation

The correct answer, A, is accurate because residual risk is the risk that remains after security measures have been implemented, specifically the vulnerabilities that are still present. Option B is incorrect as transferring risks does not help in determining what remains. Option C, threat analysis, focuses on identifying potential threats rather than measuring residual risks. Option D, risk assessment, is a broader process that includes identifying risks but does not specifically address residual risk.