Exam CISM topic 1 question 550 discussion

Comprehensive information = Risk register. RR is narrative of the current risk profile.

Answer B) The risk assessment feeds into the risk register.

D - Risk assessments involve a detailed analysis and evaluation of risks, including their likelihood and impact, and often include the results of various risk identification and analysis techniques.

The risk register also contains information on accepted risks. This information help to define the risk profile. They are not available through a risk assessment

Option B

Comprehensive= risk assessment • Risk Assessment - Identify, Analyze, evaluate effectiveness of implemented controls - Most comprehensive set of security requirements - Internal and external factors (threats, likelihood, vulnerabilities, exposure, and impact)

The most comprehensive information related to an organization's current risk profile is the risk register. A risk register is a document or database that contains a comprehensive list of identified risks, along with information about their likelihood, potential impact, and mitigations. It provides a centralized source of information about the organization's risks, allowing for a systematic approach to risk management. It helps in understanding the nature and extent of the risks, facilitating effective decision-making and prioritization of risk mitigation strategies. While other options like gap analysis results, heat maps, and risk assessment results are useful for understanding specific aspects of an organization's risk profile, the risk register offers a more holistic view by capturing and organizing all relevant information about the identified risks.

D. Risk assessment results The risk assessment results provide the most comprehensive information related to an organization's current risk profile. A risk assessment typically involves a systematic evaluation of potential risks, their likelihood, impact, and any existing controls or mitigation measures. This assessment provides a detailed and holistic view of an organization's risk landscape, including the identification of specific risks, their severity, and the effectiveness of existing control

B. Risk register

Comprehensive; hence Risk Assessment results

A risk assessment is a systematic process of identifying, analyzing, and evaluating risks within an organization. It involves assessing the likelihood and impact of risks, considering existing controls and vulnerabilities, and determining the overall risk level. The results of a risk assessment provide a comprehensive understanding of the organization's risk landscape, including the identified risks, their potential impact, likelihood, and prioritization. This information helps inform decision-making, risk mitigation strategies, and the development of appropriate controls. On the other hand, a risk register is a tool or document that captures and tracks identified risks, along with their characteristics and status. It serves as a repository of risk-related information but may not provide the same level of comprehensive analysis and evaluation as a risk assessment. Therefore, in terms of providing comprehensive information about an organization's risk profile, the risk assessment results are typically more comprehensive than a risk register.

Key pointer in the question being "comprehensive" Risk register is much more detailed than an assessment report which is a summary.

Risk register would be elaborative....and to comprihand it we should assess the risk register...so D

The risk register, sometimes known as a risk ledger, is the primary business record in most risk management programs. A risk register is a listing of risks that have been identified. Typically, a risk register contains many items, including a description of the risk, the level and type of risk, and information about risk treatment decisions. Gregory, Peter H.; Gregory, Peter H.. CISM Certified Information Security Manager Bundle (p. 187). McGraw Hill LLC. Kindle Edition.

A comprehensive risk assessment result provides the most comprehensive information related to an organization's current risk profile and is an essential tool for ensuring that the organization is prepared to manage and mitigate risks effectively.

A comprehensive risk assessment result provides the most comprehensive information related to an organization's current risk profile and is an essential tool for ensuring that the organization is prepared to manage and mitigate risks effectively.

B. Risk register provides the most comprehensive information related to an organization's current risk profile. A risk register is a document or database that captures and tracks identified risks, their likelihood and impact, the existing controls in place to mitigate them, and the actions that are planned or in progress to address them. It provides a clear overview of all the risks that an organization is currently facing and helps to prioritize risk management efforts.