Certified Information Systems Security Professional – CISSP – Question377

Which of the following is the FIRST thing to consider when reviewing Information Technology (IT) internal controls?

A.
The risk culture of the organization
B. The impact of the control
C. The nature of the risk
D. The cost of the control

Correct Answer: B