Certified in Risk and Information Systems Control (CRISC) — Question 688

An IT risk profile should be reviewed and updated when a new:

Answer options

• A. risk scenario has been developed.
• B. vulnerability assessment tool is implemented.
• C. IT asset has been procured.
• D. audit finding has been issued.

Correct answer: A

Explanation

The correct answer is A because an IT risk profile must be updated when new risk scenarios arise to ensure it reflects the current risk landscape. Options B, C, and D may influence the risk profile but do not directly necessitate its immediate review like the emergence of a new risk scenario does.