CGEIT Question #330: Real Exam Question with Answer & Explanation

The correct answer is C: Identify assets. The first step in establishing a risk management process is to identify the assets that need protection, as the value and nature of these assets drive all subsequent risk analysis activities.

Submitted by andreas_gr· Apr 18, 2026Risk Optimization

Question

When establishing a risk management process which of the following should be the FIRST step?

Options

ADetermine the probability of occurrence
BIdentify threats
CIdentify assets
DAssess risk exposures

Explanation

The first step in establishing a risk management process is to identify the assets that need protection, as the value and nature of these assets drive all subsequent risk analysis activities.

Common mistakes.

A. Determining the probability of occurrence is a step in risk assessment, which comes after assets, threats, and vulnerabilities have been identified.
B. Identifying threats is a crucial step in risk management, but it logically follows the identification of assets, as threats are only relevant in the context of what they can harm.
D. Assessing risk exposures involves evaluating the likelihood and impact of risks, which is a later step in the risk assessment process, performed after assets, threats, and vulnerabilities are known.

Concept tested. Risk management process initiation

Reference. https://learn.microsoft.com/en-us/security/benchmark/azure/governance-risk-compliance-risk-assessment

Topics

#Risk management process#Asset identification#Risk framework

Community Discussion

No community discussion yet for this question.

Full CGEIT Practice Browse All CGEIT Questions