Which of the following should be considered FIRST when implementing a risk management program?

A.
An understanding of the organization’s threat, vulnerability and risk profile

B.
An understanding of the risk exposures and the potential consequences of compromise

C.
A determination of risk management priorities based on potential consequences

D.
A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

Explanation:
Implementing risk management, as one of the outcomes of effective information security governance, would
require a collective understanding of the organization’s threat, vulnerability and risk profile as a first step. Based
on this, an understanding of risk exposure and potential consequences of compromise could be determined.
Risk management priorities based on potential consequences could then be developed. This would provide a
basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an
acceptable level.