CGEIT Question #303: Real Exam Question with Answer & Explanation

Question

An enterprise has decided to execute a risk self-assessment to identify improvement opportunities for current IT services. Which of the following is MOST important to address in the assessment?

Options

• ARelated business risk
• BResidual IT risk
• CMapping of business objectives to IT risk
• DIT capability and performance measures

Explanation

When conducting an IT risk self-assessment, it is most important to address the mapping of business objectives to IT risk to ensure alignment and relevance. This ensures that the identified IT risks are evaluated in the context of their potential impact on the enterprise's strategic goals.

Common mistakes.

• A. Related business risk is certainly important, but the "mapping" provides the critical link between IT's technical risks and their impact on broader business outcomes.
• B. Residual IT risk is what remains after controls are applied, and while important to identify, it is an outcome of the assessment process and secondary to understanding the strategic relevance of all risks.
• D. IT capability and performance measures are operational metrics, which can be indicators of risk or control effectiveness, but they do not define the strategic context of the risk assessment itself.

Concept tested. IT risk assessment alignment

Reference. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/govern/security/security-governance#security-risk-management

No community discussion yet for this question.