CISA Certified Information Systems Auditor – Question2778

When developing a risk management program, what is the FIRST activity to be performed?

A.
Threat assessment
B. Classification of data
C. Inventory of assets
D. Criticality analysis

Correct Answer: C

Explanation:

Explanation:
Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.