CRISC Certified in Risk and Information Systems Control – Question216

How residual risk can be determined?

A.
By determining remaining vulnerabilities after countermeasures are in place.
B. By transferring all risks.
C. By threat analysis
D. By risk assessment

Correct Answer: D

Explanation:

Explanation: All risks are determined by risk assessment, regardless whether risks are residual or not.
Incorrect Answers:
A: Determining remaining vulnerabilities after countermeasures are in place says nothing about threats, therefore risk cannot be determined.
B: Transferring all the risks in not relevant to determining residual risk. It is one of the method of risk management.
C: Risk cannot be determined by threat analysis alone, regardless whether it is residual or not.