1. What is the PRIMARY purpose of a risk management framework in IT governance?

✅ Correct Answer: C. To provide a structured approach to identifying and managing IT risks
Explanation: Risk management frameworks offer a systematic method for identifying, assessing, and mitigating IT risks.

• A. Eliminating all risks is unrealistic; frameworks aim to manage, not eliminate.

• B. Compliance is a benefit, but not the primary purpose.

• D. Frameworks are not about assigning blame but improving risk posture.

2. Which of the following is MOST important when applying a cost-benefit analysis to risk mitigation controls?

✅ Correct Answer: C. The effectiveness of the control in reducing risk relative to its cost
Explanation: Cost-benefit analysis evaluates whether the control’s risk reduction justifies its cost.

• A. Popularity doesn’t guarantee effectiveness or suitability.

• B. Cost alone is insufficient without considering benefits.

• D. Vendor reputation is secondary to actual performance and value.

3. What is the PRIMARY reason for classifying information assets?

✅ Correct Answer: B. To prioritize risk management efforts based on asset sensitivity and criticality
Explanation: Classification helps focus resources on protecting the most valuable and sensitive assets.

• A. Retention policies are related but not the main reason for classification.

• C. Classification doesn’t reduce asset count.

• D. Licensing is unrelated to asset classification.

4. Which of the following frameworks is MOST commonly used for IT risk management?

✅ Correct Answer: A. COBIT
Explanation: COBIT is widely used for governance and risk management in IT, providing controls and processes.

• B. ITIL focuses on service management, not risk.

• C. ISO 9001 is for quality management, not IT risk.

• D. Agile is a development methodology, not a risk framework.

5. When performing a cost-benefit analysis, which of the following should be considered a benefit?

✅ Correct Answer: B. Reduced likelihood of a data breach
Explanation: Preventing breaches is a key benefit of security controls and risk mitigation.

• A. Complexity is a drawback, not a benefit.

• C. Costs are not benefits.

• D. Longer deployment is a negative impact.

6. Which classification level would MOST likely apply to customer financial data?

✅ Correct Answer: C. Confidential
Explanation: Financial data is sensitive and should be protected from unauthorized access.

• A. Public data is openly accessible, which is inappropriate for financial data.

• B. Internal use is less restrictive than needed for financial data.

• D. Archived refers to storage status, not sensitivity.

7. What is the PRIMARY benefit of using a standardized risk management framework?

✅ Correct Answer: C. It ensures consistent risk assessment and treatment
Explanation: Frameworks provide repeatable processes that improve consistency and reliability.

• A. No framework can eliminate all risk.

• B. Budgeting may be aided but is not the primary benefit.

• D. Audits are still necessary even with frameworks.

8. Which of the following is the BEST example of a cost in a cost-benefit analysis for a new firewall?

✅ Correct Answer: C. Purchase and maintenance expenses
Explanation: Costs include financial outlays for acquiring and maintaining the control.

• A. Reduced attack surface is a benefit.

• B. Improved performance is a benefit.

• D. Trust is a reputational benefit, not a cost.