ASIS APP DOMAIN 3, RISK MANAGEMENT
EXAM 2025
What is risk assessment? - ✅✅✅CORRECT -The identification, analysis, and evaluation of
uncertainties to objectives and outcomes and provides a comparison between the desired/undesired
outcomes and expected rewards/losses of organizational objectives.
What do the results of the risk assessment inform? - ✅✅✅CORRECT -The responsible and
accountable decision maker(s) of choices available to effectively manage risk to achieve the
organization's objectives.
What is the goal of a risk assessment program? - ✅✅✅CORRECT -To review the risk management
controls and system, as well as to identify opportunities for improvement.
What are three contributing factors to an organization's risk criteria? - ✅✅✅CORRECT -Risk appetite,
Risk tolerance, Risk aversion.
What is risk appetite? - ✅✅✅CORRECT -The risk an organization is willing to pursue, retain, or take.
What is risk tolerance? - ✅✅✅CORRECT -The risk an organization is ready to bear after risk
treatment.
What is risk aversion? - ✅✅✅CORRECT -The risk an organization is not willing to undertake.
What should the scope of the risk assessment define? - ✅✅✅CORRECT -The processes, functions,
activities, physical boundaries (facilities and locations), and stakeholders included within the boundaries
of the risk assessment program.
What determines the resource and time requirements needed for the individual risk assessments? -
✅✅✅CORRECT -The scope of the risk assessment program.
, What is the first step of a risk assessment? - ✅✅✅CORRECT -Setting objectives.
What is a gap analysis? - ✅✅✅CORRECT -A technique that can be used to determine what steps
might need to be taken to improve the organization's capacity to move from a current state to a desired,
future state.
What are the three steps of a gap analysis? - ✅✅✅CORRECT -Noting currently available factors given
the current resource situation, Listing success factors needed to achieve future, desired objectives,
Highlighting the gaps that exist and what gaps may need to be filled to be successful.
How can data be gathered during a risk assessment? - ✅✅✅CORRECT -Direct contact- between
stakeholders and the assessment team, Indirect review- assessment team review of available data and
documentation.
What is risk analysis? - ✅✅✅CORRECT -A process to understand the nature and level of risk to
determine its significance.
What is the purpose of a risk analysis? - ✅✅✅CORRECT -The risk analysis process assesses the
likelihood and consequences to determine the level of risk and prioritize risk treatments.
What is risk evaluation? - ✅✅✅CORRECT -Risk evaluation uses the risk criteria and outputs from the
risk identification and risk analysis steps, to determine what risks are acceptable with existing risk
treatments and which require additional risk treatment.
What is a business impact analysis? - ✅✅✅CORRECT -Evaluates, determines, and prioritizes critical
activities, functions, and processes, and determines the time frames and resource requirements to
maintain these critical activities, functions, and processes following a risk event.
What should a business impact analysis determine? - ✅✅✅CORRECT -Criticality, Maximum
downtime, Resource requirements.
How are timeframes and recovery objectives typically defined in a business impact analysis? -
✅✅✅CORRECT -Maximum allowable outage, Recovery time objective, Recovery point objective.
EXAM 2025
What is risk assessment? - ✅✅✅CORRECT -The identification, analysis, and evaluation of
uncertainties to objectives and outcomes and provides a comparison between the desired/undesired
outcomes and expected rewards/losses of organizational objectives.
What do the results of the risk assessment inform? - ✅✅✅CORRECT -The responsible and
accountable decision maker(s) of choices available to effectively manage risk to achieve the
organization's objectives.
What is the goal of a risk assessment program? - ✅✅✅CORRECT -To review the risk management
controls and system, as well as to identify opportunities for improvement.
What are three contributing factors to an organization's risk criteria? - ✅✅✅CORRECT -Risk appetite,
Risk tolerance, Risk aversion.
What is risk appetite? - ✅✅✅CORRECT -The risk an organization is willing to pursue, retain, or take.
What is risk tolerance? - ✅✅✅CORRECT -The risk an organization is ready to bear after risk
treatment.
What is risk aversion? - ✅✅✅CORRECT -The risk an organization is not willing to undertake.
What should the scope of the risk assessment define? - ✅✅✅CORRECT -The processes, functions,
activities, physical boundaries (facilities and locations), and stakeholders included within the boundaries
of the risk assessment program.
What determines the resource and time requirements needed for the individual risk assessments? -
✅✅✅CORRECT -The scope of the risk assessment program.
, What is the first step of a risk assessment? - ✅✅✅CORRECT -Setting objectives.
What is a gap analysis? - ✅✅✅CORRECT -A technique that can be used to determine what steps
might need to be taken to improve the organization's capacity to move from a current state to a desired,
future state.
What are the three steps of a gap analysis? - ✅✅✅CORRECT -Noting currently available factors given
the current resource situation, Listing success factors needed to achieve future, desired objectives,
Highlighting the gaps that exist and what gaps may need to be filled to be successful.
How can data be gathered during a risk assessment? - ✅✅✅CORRECT -Direct contact- between
stakeholders and the assessment team, Indirect review- assessment team review of available data and
documentation.
What is risk analysis? - ✅✅✅CORRECT -A process to understand the nature and level of risk to
determine its significance.
What is the purpose of a risk analysis? - ✅✅✅CORRECT -The risk analysis process assesses the
likelihood and consequences to determine the level of risk and prioritize risk treatments.
What is risk evaluation? - ✅✅✅CORRECT -Risk evaluation uses the risk criteria and outputs from the
risk identification and risk analysis steps, to determine what risks are acceptable with existing risk
treatments and which require additional risk treatment.
What is a business impact analysis? - ✅✅✅CORRECT -Evaluates, determines, and prioritizes critical
activities, functions, and processes, and determines the time frames and resource requirements to
maintain these critical activities, functions, and processes following a risk event.
What should a business impact analysis determine? - ✅✅✅CORRECT -Criticality, Maximum
downtime, Resource requirements.
How are timeframes and recovery objectives typically defined in a business impact analysis? -
✅✅✅CORRECT -Maximum allowable outage, Recovery time objective, Recovery point objective.
