Free ISC2 CISSP Actual Exam Questions - Question 14 Discussion
DRAG DROP What is the correct order of steps in an information security assessment? Place the information security assessment steps on the left next to the numbered boxes on the right in the correct order. 
I’d say D (scoping) first, then A (identify assets). Helps narrow focus early on.
Starting with scoping sets the stage, so I’d pick that as step one.
I think starting with scoping helps define boundaries, so it’s clear what you assess. Then identifying assets and threats fits naturally before analyzing vulnerabilities and risks. That way, each step builds on the previous.
I see why scoping first makes sense, but I also think identifying assets early is key to frame what’s in scope. Without knowing assets, scoping feels vague. So maybe the order should start with asset identification, then define scope based on that. After that, vulnerabilities and threat assessment fit naturally before risk analysis. Reporting wraps it all up. Controls and monitoring are definitely post-assessment steps, so leaving those out here feels right. The question seems focused on the core assessment flow rather than the whole risk management cycle.
I'd put scoping first to know what we're assessing, then identify assets and threats. After that, check vulnerabilities, analyze risks, and wrap up with a report. Controls and ongoing monitoring feel like separate steps.
I'd say start by defining the scope first, then identify assets and threats, followed by vulnerability assessment, risk analysis, and finally reporting. Controls come after the assessment phase, so they're not in this sequence.
Not sure about the exact order here, but looks like you first identify assets, then assess risks, and finally implement controls. The drag/drop format makes it tricky without seeing all options clearly.