CRISC Question #375: Real Exam Question with Answer & Explanation

The correct answer is B: IT assets. To identify relevant IT risk scenarios, a risk practitioner should first review IT assets to understand what needs protection and what could be impacted.

Submitted by katya_ua· Apr 18, 2026IT Risk Assessment

Question

A risk practitioner is involved in a comprehensive overhaul of the organizational risk management program. Which of the following should be reviewed FIRST to help identify relevant IT risk scenarios?

Options

ATechnology threats
BIT assets
CSecurity vulnerabilities
DIT risk register

Explanation

To identify relevant IT risk scenarios, a risk practitioner should first review IT assets to understand what needs protection and what could be impacted.

Common mistakes.

A. Technology threats are external factors that can exploit vulnerabilities, but without knowing the assets, it's difficult to assess which threats are relevant to the organization.
C. Security vulnerabilities are weaknesses in assets, but one must first identify the assets before assessing their weaknesses.
D. An IT risk register contains existing risks, but an overhaul of the program requires a foundational look at what constitutes risk, starting with assets, rather than just reviewing what has already been identified.

Concept tested. IT risk identification starting point

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Topics

#Risk identification#IT assets#Risk scenarios#Risk management program

Community Discussion

No community discussion yet for this question.

Full CRISC Practice Browse All CRISC Questions