CRISC Certified in Risk and Information Systems Control – Question277

Suppose you are working in Company Inc. and you are using risk scenarios for estimating the likelihood and impact of the significant risks on this organization. Which of the following assessment are you doing?

A.
IT security assessment
B. IT audit
C. Threat and vulnerability assessment
D. Risk assessment

Correct Answer: C

Explanation:

Explanation:
Threat and vulnerability assessment consider the full spectrum of risks. It identifies the likelihood of occurrence of risks and impact of the significant risks on the organization using the risk scenarios. For example: Natural threats can be evaluated by using historical data concerning frequency of occurrence for given natural disasters such as tornadoes, hurricanes, floods, fire, etc.
Incorrect Answers: A, B: These use either some technical evaluation tool or assessment methodologies to evaluate risk but do not use risk scenarios.
D: Risk assessment uses quantitative and qualitative analysis approaches to evaluate each significant risk identified.