What's the primary goal of a risk assessment?

A. Identifying assets
B. Compliance
C. Identifying vulnerabilities and threats
D. Policy review

Answer: C. Identifying vulnerabilities and threats
Explanation:

Risk Assessment Breakdown

•  Identifying Vulnerabilities and Threats: This is the analytical heart of the process.  A vulnerability is a weakness (like unpatched software), and a threat is a potential danger that could exploit that weakness (like a hacker or a hurricane).  Risk only exists where these two overlap. 

   

•  Risk Analysis: Once identified, you calculate the Likelihood (how often it might happen) and the Impact (how much it will hurt).  This results in a risk score that helps management prioritize spending.  

   

• Supporting Decision Making: The ultimate output of a risk assessment is providing senior leadership with enough information to choose a Risk Response:  

  1.  Mitigate (reduce it)  

  2.  Transfer (buy insurance)  

  3. Accept (deal with it)

  4.  Avoid (stop the activity)  

Why the other options are incorrect

• A. Identifying Assets: This is actually the first step (you can't assess risk to something if you don't know you have it), but it is a prerequisite, not the final goal.

• B. Compliance: This is a driver or a secondary benefit. You might perform a risk assessment to be compliant with HIPAA or PCI DSS, but the assessment's functional goal is to find risks.  

• D. Policy Review: This is an Administrative Control. While a risk assessment might reveal that your policies are weak (a vulnerability), reviewing the policy itself is a separate management task.

The "CISSP Rule of Thumb": If you see a question about the "Goal of Risk Management," the answer is usually "Reducing risk to an acceptable level." If the question is about "Risk Assessment," the answer is "Identifying and evaluating risks."a