Which of the following will be the GREATEST concern when assessing the risk profile of an organization?

• A.The risk profile does not contain historical loss data.
• B.The risk profile was developed without using industry standards.
• C.The risk profile was last reviewed two years ago.
• D.The risk profile was not updated after a recent incident

Comment: *

Name: *

Email: *

Verification: *

The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:

• A.Satisfy audit requirements.
• B.Survey and analyze historical risk data.
• C.Understand internal and external threat agents.
• D.Identify new or emerging risk issues.

Comment: *

Name: *

Email: *

Verification: *

When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?

• A.BCP is often tested using the walkthrough method
• B.BCP testing is not in conjunction with the disaster recovery plan (DRP)
• C.Each business location has separate, inconsistent BCPs
• D.Recovery time objectives (RTOs) do not meet business requirements

Comment: *

Name: *

Email: *

Verification: *

Which of the following come under the phases of risk identification and evaluation?
Each correct answer represents a complete solution. Choose three.

• A.Maintain a risk profile
• B.Collecting data
• C.Analyzing risk
• D.Applying controls

Correct Answer: A,B,C

Explanation/Reference:
Explanation:
Risk identification is the process of determining which risks may affect the project. It also documents risks' characteristics.
Following are high-level phases that are involved in risk identification and evaluation:
Collecting data- Involves collecting data on the business environment, types of events, risk categories,

risk scenarios, etc., to identify relevant data to enable effective risk identification, analysis and reporting.
Analyzing risk- Involves analyzing risk to develop useful information which is used while taking risk-

decisions. Risk-decisions take into account the business relevance of risk factors.
Maintain a risk profile- Requires maintaining an up-to-date and complete inventory of known threats

and their attributes (e.g., expected likelihood, potential impact, and disposition), IT resources, capabilities, and controls as understood in the context of business products, services and processes to effectively monitor risk over time.
Incorrect Answers:
D: It comes under risk management process, and not in risk identification and evaluation process.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

• A.To allow for proper review of risk tolerance
• B.To enable consistent data on risk to be obtained
• C.To provide consistent and clear terminology
• D.To identify dependencies for reporting risk

Comment: *

Name: *

Email: *

Verification: *