Which of the following steps should be performed FIRST in the risk assessment process? 

Answer options:

A. Staff interviews
B. Threat identification
C. Asset identification and valuation
D. Determination of the likelihood of identified risks

C

The first step in the risk assessment methodology is a system characterization, or identification and valuation, of all of the enterprise`s assets to define the boundaries of the assessment. Interviewing is a valuable tool to determine qualitative information about an organization`s objectives and tolerance for risk. Interviews are used in subsequent steps. Identification of threats comes later in the process and should not be performed prior to an inventory since many possible threats will not be applicable if there is no asset at risk. Determination of likelihood comes later in the risk assessment process.