Certified in Risk and Information Systems Control (CRISC) — Question 656

Which of the following are the MOST important inputs when determining the desired state of IT risk during gap analysis?

Answer options

• A. IT risk appetite and tolerance
• B. IT risk strategy and organizational requirements
• C. IT risk and control assessment results
• D. IT vulnerability and penetration testing results

Correct answer: A

Explanation

The correct answer is A because understanding the organization's IT risk appetite and tolerance is crucial for determining how much risk is acceptable. Options B, C, and D provide important information but do not directly address the organization's threshold for risk, which is essential in this context.