Free ISACA CISM Actual Exam Questions - Question 11 Discussion
organization?
Maybe D here, because vulnerability assessments scan for current weaknesses that attackers could exploit right now, giving a more live snapshot of threats than a risk register, which might lag behind updates.
B seems solid since it lists all known risks, not just tech ones like C or D. But does it really reflect new threats quickly enough to be most comprehensive? Anyone think ongoing threat intel might be missing there?
A/B? Business impact analysis (A) mainly focuses on consequences if something goes wrong, so it doesn’t really track ongoing threats. Between B and D, a risk register (B) should capture a broad range of threats and their potential impact, while a vulnerability assessment (D) is more about specific weaknesses. Since the question asks for the MOST comprehensive insight into ongoing threats, the risk register seems better because it’s supposed to be regularly updated with new threats and covers more than just technical vulnerabilities.
B/C? A risk register (B) lists known risks but might miss emerging or actual exploitation details. Penetration testing (C) shows real-world attack vectors and active weaknesses, giving practical insight into current threats. So while B is broad, C reveals ongoing, exploitable risks more directly.
B - does the risk register include both internal and external threats?