CISM - AIO 2nd - The risk analyst studies different event scenarios and determines the impact of each. This may be expressed in quantitative terms (dollars or other currency) or qualitative terms (high/medium/low or a numeric scale of 1 to 5 or of 1 to 10). Sounds like B to me

Information security risk analysis helps organizations identify and prioritize potential risks to their information assets. By assessing the likelihood and impact of various risks, organizations can make informed and cost-effective decisions about where to allocate resources for protection. This involves determining which assets are most critical and require heightened security measures based on the level of risk they pose. While the other options (ensuring appropriate access control, applying appropriate funding to security processes, and implementing appropriate security technologies) are also important considerations, the primary benefit of risk analysis is in facilitating cost-effective decisions related to asset protection.

B is correct answers exam still valid, took it today and all thanks ExamforSure.com

(A is correct) if you want valid Questions and Answers. You have the site name above.

Are these answers valid for the actual exam?

CRISC indicated that when new compliance regulation might affect the business, it should first analyse the existing control enough to meet the regulation of new compliance rule. Clearly the answer is D

Will go with the explanation by Viperhunter

B. cost-effective decisions are made with regard to which assets need protection

Asset protection as per the data stored in it is HIGHEST priority while doing Risk Analysis

Information security risk analysis helps to define level of protection.

Information security risk analysis helps to define level of protection.

B - cost-effective decisions are made with regard to which assets need protection

Helps define level of protection

agreed