Free CompTIA Security Plus SY0-701 Actual Exam Questions - Question 11 Discussion
organization's risk management program?
Option A makes sense too since policies set the framework for the whole risk management approach. Without checking them first, you might miss how risks are supposed to be identified and handled.
B/C? I get why folks pick A first, but checking asset management (B) could be just as important initially since managing assets directly ties into risk exposure. If assets aren’t identified or controlled well, policies won’t be effective. So, verifying what assets are in scope might come before detailed vulnerability assessments (C) or business impact analysis (D). Policies alone don’t guarantee risks are well understood or managed without knowing what you’re protecting.
C/D? I feel like after verifying policies, understanding how business impact analysis is done (D) could be crucial before digging into specific vulnerabilities. It gives a broader picture of risk priorities.
A vs C. I think starting with policies and procedures (A) makes sense to see if the program is properly set up before diving into assessments.