Exam CISM topic 1 question 1 discussion

CISM - AIO 2nd -  The risk analyst studies different event scenarios and determines the impact of each. This may be expressed in quantitative terms (dollars or other currency) or qualitative terms (high/medium/low or a numeric scale of 1 to 5 or of 1 to 10). Sounds like B to me

Information security risk analysis helps organizations identify and prioritize potential risks to their information assets. By assessing the likelihood and impact of various risks, organizations can make informed and cost-effective decisions about where to allocate resources for protection. This involves determining which assets are most critical and require heightened security measures based on the level of risk they pose. While the other options (ensuring appropriate access control, applying appropriate funding to security processes, and implementing appropriate security technologies) are also important considerations, the primary benefit of risk analysis is in facilitating cost-effective decisions related to asset protection.

Agree B.

B. When you make risk analysis you can prioritize controls and optimize cost.

CRISC indicated that when new compliance regulation might affect the business, it should first analyse the existing control enough to meet the regulation of new compliance rule. Clearly the answer is D

B. cost-effective decisions are made with regard to which assets need protection

Asset protection as per the data stored in it is HIGHEST priority while doing Risk Analysis

Information security risk analysis helps to define level of protection.

Information security risk analysis helps to define level of protection.

B - cost-effective decisions are made with regard to which assets need protection

Helps define level of protection

agreed