Free ISC2 CISSP Actual Exam Questions - Question 4 Discussion

I’d put asset inventory (B) first because you can’t manage vulnerabilities without knowing what assets you have. Then scanning (C) to find weaknesses, followed by verifying and prioritizing (D) to focus efforts where they matter most. Defining roles (A) feels like it should happen alongside or just after these steps to make sure the team can act on the findings properly. Starting with roles might delay finding what actually needs protection, so sorting out the assets first seems more logical to me.

I agree with starting by defining roles (A) so responsibilities are clear, then doing asset inventory (B) to know what to protect. Scanning (C) comes next to find issues, followed by verifying and prioritizing (D) to focus efforts properly.

Starting with asset inventory makes sense to know what you’re protecting, then scanning to find vulnerabilities, followed by verifying and prioritizing for effective patching. Defining roles early keeps things organized throughout.

I think the key is to start with defining roles so everyone knows their responsibilities from the get-go. Without clear roles, the rest of the steps could become sloppy or delayed. After that, an asset inventory sets the foundation, followed by scanning to identify vulnerabilities. Once you have those findings, verifying them makes sure you’re not chasing false alarms before prioritizing what needs fixing first. Skipping verification risks wasting resources on stuff that isn’t really a threat. So, roles first, then inventory, scan, verify, and prioritize sounds like a solid order to me.

Defining roles should come before scanning to ensure accountability.

Starting with asset inventory is a must, but I think after scanning, verifying findings before prioritizing helps avoid wasting time on false positives. That way, you only address real issues first.

I think you start with asset inventory to know what you have, then perform the vulnerability scan. After scanning, prioritizing vulnerabilities before remediation makes sense to tackle the riskiest issues first.

I’d say starting with defining roles and responsibilities should come right after asset inventory. Without clear ownership, scanning and remediation could get delayed or overlooked. Then you move on to vulnerability scanning and assessment, followed by prioritizing based on risk. The last steps are remediation and continuous monitoring to keep the cycle going. The image seems to follow that flow except it might not explicitly show ongoing updates, but that’s implied with monitoring.

Starting with asset inventory sets a solid foundation for the whole process.

Agree, asset inventory first is key before any scanning or assessment.

Start with asset inventory before scanning; can’t fix what you don’t know.

The image isn't loading for me, but from what I remember, setting up a vulnerability management process usually starts with identifying and classifying assets. Then you’d scan for vulnerabilities, assess the risk, prioritize based on business impact, apply patches or mitigation, and finally monitor continuously. If the question’s asking for order, those steps should be roughly it. Would be good to get a clearer breakdown to match the exact terms used. Anyone else got a better step list or how they’d map this?