Exam CISM topic 1 question 913 discussion

It is not possible to analyze the risk to an asset without first identifying it. Risk Management Process: 1. Establishing risk context 2. Risk identification (i) Asset identification (ii) Asset valuation and classification (iii) Threat identification and evaluation (iv) Vulnerability assessment 3. Risk Analysis: likelihood x impact 4. Risk Evaluation: evaluate determined risk against risk acceptance criteria 5. Risk Response: Accept, Transfer, Avoid, Mitigate. As part of mitigation, we select the control. The order would be: C, D, B, A

C. Create an information asset inventory. Creating an information asset inventory (which includes asset identification and classification) is typically the first step in the risk identification phase. Risk analysis only happens after assets have been identified. So the correct answer cannot be B.

C. Create an information asset inventory.

I do agree it should be Risk Analysis. Yes, traditional way was to identify assets first which was called asset-oriented approach, but in today's world you can start with identifying the threats which is called threat-oriented approach, or start with identifying vulnerabilities which is called vulnerability-oriented approach, and all the three approaches are part of risk analysis.

B. Perform a risk analysis. A risk analysis involves identifying potential security risks and vulnerabilities, assessing their potential impact on your organization, and determining the likelihood of these risks occurring. This analysis provides you with a clear understanding of your security landscape, helping you make informed decisions about which security measures to implement. Creating an information asset inventory (option C) and determining the value of information assets (option D) are important steps in the security program but typically come after performing a risk analysis. Implementing data encryption (option A) is a specific security control that you may decide to implement as part of your security program, but it should also be based on the findings from the risk analysis to ensure you are addressing the most critical security needs first.

Create asset inventory

I would stay with B

When implementing a security program, creating an information asset inventory (option C) should be done FIRST. An information asset inventory identifies and documents all the organization's valuable assets, including data, systems, applications, and other resources. This forms the foundation for understanding what needs protection and helps guide subsequent security efforts.

For me also C

Surely this is C