Certified in Risk and Information Systems Control (CRISC) — Question 819

A risk practitioner has just learned about new malware that has severely impacted industry peers worldwide. Which of the following should be done FIRST?

Answer options

• A. Notify executive management.
• B. Update the IT risk register.
• C. Design IT risk mitigation plans.
• D. Analyze the impact to the organization.

Correct answer: D

Explanation

The correct first step is to analyze the impact to the organization (D) because understanding the potential consequences of the malware is crucial for informed decision-making. Notifying executive management (A) and updating the IT risk register (B) are important but should come after assessing the impact. Designing risk mitigation plans (C) is premature without first understanding the specific risks involved.