The CRISC risk assessment process follows asequence:
Identify assets →
Identify threats →
Identify vulnerabilities →
Evaluate existing controls→
Assess likelihood and impact.
Per ISACA CRISC guidance:
“After identifying threats, the next step is to evaluate the effectiveness of existing controls to determine residual risk.”
Implementing new controls (Option C) happensafterrisk evaluation and treatment planning.
Hence,D. Evaluate the controls currently in placeis correct.
CRISC Reference:Domain 2 – IT Risk Assessment, Topic: Risk Identification and Control Evaluation Steps.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit