At 1st i thought A. After re-reading the question, which "should" be given vs "will" be given. "Should be given" will be determined by Risk Analysis. "Will be given" will be risk appetite. So B for me.
A risk analysis includes the analysis of applicable threats by determining its applicability to the organization, its likelihood of impact and the severity of impact thereby deriving to a risk. Answer A is wrong, because the decision how to treat the risk is PARTIALLY determined by the organizations risk appetite. The risk treatment (including factors like an organizations risk appetite) is PART of a comprehensive risk analysis. Therefore, answer B is correct.
SO/IEC 27005:2018 – Defines risk analysis as a core activity in deciding what protection is needed.
NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments, stresses that protection decisions should be driven by formal risk analysis.
Why not the others?
A. The corporate risk appetite
→ Important for accepting or rejecting risk, but it doesn't determine asset-specific protection needs.
C. A threat assessment
→ Identifies potential threats, but does not factor in impact or vulnerability, so it lacks full context.
D. A vulnerability assessment
→ Identifies system weaknesses, but not their impact or the likelihood of exploitation — which are key to deciding protection levels.
risk analysis provides the most detailed and relevant information for deciding the level of protection needed for a specific asset, as it integrates considerations of threats, vulnerabilities, impacts, and likelihoods.
Conducting a risk analysis allows for a comprehensive evaluation of the threats, vulnerabilities, and potential impacts associated with specific assets. By analyzing these factors, organizations can make informed decisions about the level of protection required for each asset.
Explanation of why other options are not correct:
A. The corporate risk appetite: While the corporate risk appetite influences overall risk management decisions, including the allocation of resources and the establishment of risk tolerance levels, it does not directly determine the level of protection for individual assets. Risk appetite provides a high-level framework for decision-making but must be translated into specific risk analysis for each asset.
Risk analysis gives the level of risk, not level of protection.
After a risk analysis, the business then evaluates the level of (inherent/existing) risk against acceptable risk levels (RISK APETITE) to decide the level of protection to be provided, in a manner that the residual risk is within acceptable risk levels.
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
AWSgenio
Highly Voted 1 year, 4 months agoBamBamBigalo
1 year, 1 month agoJosef4CISM
Highly Voted 10 months, 2 weeks agoPrat1597
Most Recent 1 week, 6 days agoSyma
1 month, 3 weeks agohomeysl
1 month, 3 weeks ago6b41e93
7 months ago240b34b
9 months, 2 weeks agogreeklover84
9 months, 4 weeks agoiyke2k4
10 months, 4 weeks agoRagazzoAlex
12 months agoThavee
1 year, 3 months agoyottabyte
1 year, 4 months agoshervin2s
1 year, 4 months agooluchecpoint
1 year, 5 months agoCISSPST
1 year, 6 months agoTamerBeSafe
1 year, 7 months agoUncle_Lucifer
1 year, 7 months ago