Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?
Risk scenarios and levels are core to the assessment report.
Why this answer
Option C is correct because an IT risk assessment report, per ISACA guidelines, must include identified risk scenarios and their associated risk levels. This is a core component that documents the specific threats, vulnerabilities, and the resulting inherent risk ratings (e.g., using a 5x5 risk matrix) to provide a clear picture of the risk landscape.
Exam trap
The trap here is that candidates often confuse the risk assessment report with the risk treatment plan or control testing report, leading them to select options like cost-benefit analysis or detailed control testing results, which are not core components of the risk assessment report per ISACA guidelines.