The correct sequence for arisk assessment, as perISO 31000andISO/IEC 27001, is:Establish context — identify — analyse — evaluate — treatment(C).
Establish context:Define the scope, objectives, and criteria for the risk assessment (e.g., organizational goals, assets, and risk appetite).
Identify:Identify potential risks (e.g., threats and vulnerabilities) that could impact objectives.
Analyse:Assess the likelihood and impact of identified risks to determine their severity.
Evaluate:Compare risks against risk criteria to prioritize them for treatment.
Treatment:Implement controls or strategies to mitigate, avoid, transfer, or accept risks.
Option A:Incorrect, as “monitor and review” is a post-treatment step, not the starting point.
Option B:Incorrect, as “communication” is not a distinct step in risk assessment; it’s embedded throughout.
Option D:Incorrect, as it skips “establish context,” which is essential for defining the assessment’s scope.
This sequence ensures a structured, systematic approach to risk assessment, aligning with organizational objectives.
[Reference:EPI CITM study guide, under Risk Management, likely references ISO 31000 or ISO/IEC 27001 for risk assessment processes. Check sections on risk assessment methodologies or risk management lifecycle., ]
Submit