Which of the following is an output of risk assessment process?
A.
Identification of risk
B.
Identification of appropriate controls
C.
Mitigated risk
D.
Enterprise left with residual risk
Explanation:
The output of the risk assessment process is identification of appropriate controls for reducing or
eliminating risk during the risk mitigation process. To determine the likelihood of a future adverseevent, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities
and the controls in place for the IT system.
Once risk factors have been identified, existing or new controls are designed and measured for
their strength and likelihood of effectiveness. Controls are preventive, detective or corrective;
manual or programmed; and formal or ad hoc.
Answer A is incorrect. Risk identification acts as input of the risk assessment process.
Answer D is incorrect. Residual risk is the latter output after appropriate control.
Answer C is incorrect. This is an output of risk mitigation process,that is, after applying several
risk responses.