CRISC Certified in Risk and Information Systems Control – Question782

Which of the following activities should be performed FIRST when establishing IT risk management processes?

A.
Conduct a high-level risk assessment based on the nature of business.
B. Collect data of past incidents and lessons learned.
C. Identify the risk appetite of the organization.
D. Assess the goals and culture of the organization.

Correct Answer: D