nerdexam
(ISC)2

CISSP · Question #261

How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted?

The correct answer is B. Use a risk-based approach.. After a vulnerability assessment, organizations should prioritize remediation using a risk-based approach that balances the likelihood of exploitation against the potential business impact of each vulnerability.

Submitted by sofia.br· Mar 5, 2026Security and Risk Management

Question

How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted?

Options

  • AUse an impact-based approach.
  • BUse a risk-based approach.
  • CUse a criticality-based approach.
  • DUse a threat-based approach.

How the community answered

(30 responses)
  • A
    3% (1)
  • B
    90% (27)
  • C
    7% (2)

Why each option

After a vulnerability assessment, organizations should prioritize remediation using a risk-based approach that balances the likelihood of exploitation against the potential business impact of each vulnerability.

AUse an impact-based approach.

An impact-based approach only considers the severity of consequences if a vulnerability is exploited but ignores the probability or likelihood of exploitation, leading to potential misallocation of resources on high-impact but low-probability vulnerabilities.

BUse a risk-based approach.Correct

A risk-based approach combines both the likelihood of a threat exploiting a vulnerability and the potential impact to the organization, allowing security teams to allocate limited resources to vulnerabilities that pose the greatest overall danger. This approach accounts for asset value, threat intelligence, exploitability, and business context, making it the most comprehensive and widely accepted framework for prioritization. Standards such as NIST SP 800-30 and CVSS scoring systems support risk-based prioritization as the industry best practice.

CUse a criticality-based approach.

A criticality-based approach focuses solely on the importance of the affected asset or system, neglecting whether a vulnerability is actually exploitable or actively targeted by threat actors, which can skew prioritization.

DUse a threat-based approach.

A threat-based approach focuses primarily on known threat actors or active threats without fully accounting for the business impact or asset value, resulting in an incomplete prioritization framework compared to the holistic nature of risk-based analysis.

Concept tested: Vulnerability remediation prioritization using risk-based approach

Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Topics

#Vulnerability management#Risk prioritization#Remediation planning

Community Discussion

No community discussion yet for this question.

Full CISSP Practice