Certified in Risk and Information Systems Control (CRISC) — Question 753

When establishing an enterprise IT risk management program, it is MOST important to:

Answer options

• A. review alignment with the organization's strategy.
• B. understand the organization's information security policy.
• C. validate the organization's data classification scheme.
• D. report identified IT risk scenarios to senior management.

Correct answer: A

Explanation

The correct answer, A, emphasizes the importance of ensuring that the IT risk management program is in sync with the overall goals and strategy of the organization, which is crucial for its success. While understanding the information security policy, validating data classification, and reporting risks are important, they are secondary to aligning the program with the organization's strategic objectives.