CGEIT Question #51: Real Exam Question with Answer & Explanation

Question

Before an IT strategy committee can approve an IT risk assessment framework, which of the following is MOST important to have established?

Options

• AAn enterprise risk mitigation strategy
• BLeading and lagging risk indicators
• CIT performance metrics and standards
• DEnterprise definitions for risk impact and probability

Explanation

Before an IT strategy committee can approve a risk assessment framework, it is most important to have established enterprise-wide definitions for risk impact and probability to ensure consistent evaluation.

Common mistakes.

• A. An enterprise risk mitigation strategy is an outcome of a risk assessment and analysis process, not a prerequisite for approving the framework itself.
• B. Leading and lagging risk indicators are used to monitor and measure risk over time, which comes after the risk assessment framework is established and operationalized.
• C. IT performance metrics and standards relate to operational efficiency and effectiveness, which are separate from the foundational definitions required for a risk assessment framework.

Concept tested. IT risk assessment framework prerequisites

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

No community discussion yet for this question.