Which of the following steps in conducting a risk assessment should be performed FIRST?

A.
Identity business assets

B.
Identify business risks

C.
Assess vulnerabilities

D.
Evaluate key controls

Explanation:

Risk assessment first requires one to identify the business assets that need to be protected before
identifying the threats. The next step is to establish whether those threats represent business risk

by identifying the likelihood and effect of occurrence, followed by assessing the vulnerabilities that
may affect the security of the asset. This process establishes the control objectives against which
key controls can be evaluated.