CISM Certified Information Security Manager – Question0292 - CISM Certified Information Security Manager

Which of the following is the MAIN reason for performing risk assessment on a continuous basis'?

A. Justification of the security budget must be continually made.
B. New vulnerabilities are discovered every day.
C. The risk environment is constantly changing.
D. Management needs to be continually informed about emerging risks.

Correct Answer: C

Explanation:

Explanation:
The risk environment is impacted by factors such as changes in technology, and business strategy. These changes introduce new threats and vulnerabilities to the organization. As a result, risk assessment should be performed continuously. Justification of a budget should never be the main reason for performing a risk assessment. New vulnerabilities should be managed through a patch management process. Informing management about emerging risks is important, but is not the main driver for determining when a risk assessment should be performed.