Free Isaca AAISM Actual Exam Questions - Question 13 Discussion
tasked them with categorizing the technologies by risk. Which of the following should the committee
do FIRST?
I get why C is popular, but what if the list from the CIO is solid already? Wouldn’t starting with grouping (A) actually help spot any gaps or overlaps early on? Could grouping clarify inventory completeness before formal confirmation?
Option C seems like the logical first step here. Before you can group or assess risk, you need to be sure every AI technology is accounted for in the asset inventory. If the list from the CIO isn’t complete or up-to-date, any further analysis might miss something important. Once the inventory is solid, then grouping or vulnerability assessments make more sense. Skipping this could mean working with a partial picture.
A imo, grouping similar AI products first can help spot overlaps or duplicates, making it easier to verify the inventory’s completeness before jumping into risk or vulnerability checks.
Not B, checking vulnerabilities depends on knowing all assets first, so C makes more sense to confirm the AI tech is fully inventoried before any detailed analysis.
C/B? If the inventory isn’t complete, any risk assessment or grouping would be missing key pieces, so confirming the full asset list first (C) seems essential before diving into vulnerabilities (B).
Option B makes sense too. Before grouping or assessing risk levels, identifying vulnerabilities gives a clear idea of where the real risks lie, so the committee can prioritize properly.
A imo. Once you know what AI technologies are there (which the CIO already provided), the next logical step feels like grouping similar ones before diving into vulnerabilities or risk levels. Grouping helps set the stage for a more organized risk assessment later on. Skipping this could make things messy.
I think the first step should be C. You gotta know what AI tech you have before you can group or assess risks properly.