CERTIFIED-IN-CYBERSECURITY Question #276: Real Exam Question with Answer & Explanation

Question

What is the recommended approach for assessing risks when designing a Business Continuity Plan (BCP) that considers tangible and intangible assets?

Options

• AQuantitative risk assessment
• BCombination of quantitative and qualitative risk assessment
• CQualitative risk assessment
• DNeither quantitative nor qualitative risk assessment

Explanation

When designing a business continuity plan (BCP) that addresses both tangible and intangible assets, a combination of quantitative and qualitative risk assessment is recommended (see the ISC2 Study Guide, Module 2, under Understanding Business Continuity). Quantitative risk assessment uses numerical data to identify, measure and prioritize risks, providing a clear, objective view of the potential impact of each risk. On the other hand, qualitative risk assessment uses subjective data, such as expert opinion and experience, to provide a more nuanced understanding of potential risks. For example, an organization might use quantitative risk assessment to calculate the potential financial loss if a critical server fails, and qualitative risk assessment to understand the impact on the organization's reputation. By combining these approaches, the company can fully understand the risks it faces and develop a robust BCP. Neither quantitative nor qualitative risk assessment alone provides a complete picture of risk. Quantitative risk assessment may overlook intangible assets such as reputation, while qualitative risk assessment may not accurately measure the potential financial impact. Neither quantitative nor qualitative risk assessment is viable because it would leave the company unprepared for potential risks. Therefore, a combination of both approaches is the most effective way to assess all potential risks.

No community discussion yet for this question.