Question 14 - ASIS CPP Real Exam Questions [March 2026 Update]

Q: 14

The first task of a security practitioner in a security risk assessment is to develop an understanding of the:

Options

Correct Answer:

Explanation

The foundational first step in any security risk assessment is to establish the context, which requires a comprehensive understanding of the organization. This includes its mission, vision, values, culture, strategic objectives, operations, and regulatory environment. Without this understanding, a security practitioner cannot accurately identify critical assets, relevant threats, or the potential business impact of a security event. All subsequent steps, such as identifying vulnerabilities and analyzing impacts, are predicated on this initial organizational analysis.

Why Incorrect

A. vulnerabilities: Identifying vulnerabilities is a subsequent step in the risk assessment process that can only be performed after critical assets and the organizational context are understood.

C. impact of events: Assessing the potential impact of an event is part of risk analysis, which follows the initial steps of understanding the organization and identifying its assets.

D. cost/benefit analysis: This is a component of the risk treatment phase, which occurs after the risk assessment is complete and is used to select appropriate mitigation strategies.

References

1. ASIS International. (2015). ASIS/ANSI RA.1-2015

Risk Assessment. Section 5.2

"Establish the Context

" outlines the first step of the risk management framework. It states

"The organization shall establish the external and internal context for the risk management process... This can involve

but is not limited to... the organization's governance

objectives and strategies...". This directly supports understanding the organization as the initial task.

2. Fischer

R. J.

Halibozek

& Walters

D. C. (2019). Introduction to Security (10th ed.). Butterworth-Heinemann. Chapter 5

"The Security Risk Assessment

" explains that the process begins with a "criticality assessment

" which involves understanding the organization's mission and identifying its most critical assets and processes. This is fundamentally about understanding the organization.

3. ASIS International. (2021). Protection of Assets (POA). Security Management volume. The section on "Risk Management" details the process

emphasizing that asset characterization and understanding the business environment are the initial activities that frame the entire assessment. Without this context

the assessment lacks direction and relevance.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE