Free Practice Questions for Isaca IT-Risk-Fundamentals Exam

The risk universe represents all potential risks that an organization faces. Reviewing the components of the risk universe at a high level provides an initial overview of the overall I&T-related risks for the enterprise. This allows for a broad understanding of the landscape before diving into more specific details.

While threats and vulnerabilities (A) are important, they are part of the risk universe, not the overall view. The risk register (B) contains details of identified risks, often with remediation plans, but it's a subset of the risk universe.

 Definition and Purpose:

A Business Continuity Plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service. It focuses on the processes and procedures necessary to ensure that critical business functions can continue.

 BCP Components:

The BCP typically includes Business Impact Assessments (BIAs), which identify critical functions and the impact of a disruption.

It also encompasses risk assessments, recovery strategies, and continuity strategies for critical business functions.

 Explanation of Options:

A methodical plan detailing the steps of incident response activities describes more of an Incident Response Plan (IRP).

B a document of controls that reduce the risk of losing critical processes could be part of a BCP but is more characteristic of a risk management plan.

C accurately reflects the BCP’s focus on identifying and mitigating risks to business functions through BIAs, making it the most comprehensive and accurate description.

 Conclusion:

Therefore, C correctly identifies a BCP as a document that focuses on BIAs to manage risks to critical business processes.

The criticality of an I&T asset is determined by its importance to the business processes it supports. If an asset is essential for a critical business process, it is considered highly critical. The impact of the asset's unavailability on the business process is the key factor.

While asset owners (A) are important for accountability, the business process is what drives criticality. The infrastructure (C) is relevant for security considerations, but the business process determines criticality.