Certified Information Systems Security Professional (CISSP) — Question 288

What is the FIRST step in risk management?

Answer options

• A. Identify the factors that have potential to impact business.
• B. Establish the scope and actions required.
• C. Identify existing controls in the environment.
• D. Establish the expectations of stakeholder involvement.

Correct answer: A

Explanation

The first step in risk management is to identify the factors that could potentially affect the business, as this sets the foundation for all subsequent actions. Options B, C, and D are important but occur after identifying the risks, making them secondary steps in the risk management process.