PECB ISO-IEC-27005-Risk-Manager Exam - Topic 1 Question 25 Discussion

Actual exam question for PECB's ISO-IEC-27005-Risk-Manager exam

Question #: 25
Topic #: 1

[All ISO-IEC-27005-Risk-Manager Questions]

Which of the following risk assessment methods provides an information security risk assessment methodology and involves three phases build asset-based threat profiles, identify infrastructure vulnerabilities, and develop security strategy and plans?

AOCTAVE-S

BMEHARI

CTRA

Show Suggested Answer

Suggested Answer: A

OCTAVE-S (Operationally Critical Threat, Asset, and Vulnerability Evaluation for Small Organizations) is a risk assessment methodology tailored for small organizations. It provides a structured approach for identifying and managing information security risks. The OCTAVE-S method involves three main phases:

Building asset-based threat profiles, where critical assets and their associated threats are identified.

Identifying infrastructure vulnerabilities by assessing the organization's technological infrastructure for weaknesses that could be exploited by threats.

Developing security strategy and plans to address the identified risks and improve the overall security posture.

The OCTAVE-S method aligns with the description provided in the question, making it the correct answer. MEHARI and TRA are other risk assessment methods, but they do not specifically follow the three phases outlined above.

by Sunshine at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27005-Risk-Manager Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Pamella

3 days ago

OCTAVE-S is the way to go. Can't go wrong with a methodology that's been battle-tested.

upvoted 0 times

...

Lemuel

8 days ago

I like how OCTAVE-S covers all the key steps - asset profiling, vulnerability identification, and security planning.

upvoted 0 times

...

Christiane

13 days ago

OCTAVE-S seems like the most comprehensive approach to risk assessment.

upvoted 0 times

...

Peggy

19 days ago

I’m leaning towards OCTAVE-S as well, but I have some doubts. The phases sound familiar, but I need to double-check my notes.

upvoted 0 times

...

Vicky

24 days ago

I remember practicing a question similar to this, and I think TRA was mentioned as a method too. I just can't remember its phases clearly.

upvoted 0 times

...

Frederic

29 days ago

I feel like MEHARI could also fit, but I can't recall the specifics of its phases. It’s been a while since I reviewed that one.

upvoted 0 times

...

Fausto

1 month ago

I think the answer might be OCTAVE-S, but I'm not entirely sure. I remember it focusing on asset-based approaches.

upvoted 0 times

...

Edgar

1 month ago

I remember learning about these in our security management class, but the details are a bit fuzzy. I'll review the key steps of each method quickly and then select the one that seems to fit the question best.

upvoted 0 times

...

Reuben

1 month ago

Ugh, I'm drawing a blank on the specifics of these risk assessment methods. I'll have to try to eliminate the options I'm less sure about and take an educated guess on the one that seems to match the description.

upvoted 0 times

...

Lino

2 months ago

Okay, I've got this. OCTAVE-S is the one that involves building asset-based threat profiles, identifying infrastructure vulnerabilities, and developing security strategy and plans. I'm pretty confident that's the right answer.

upvoted 0 times

...

Annamae

2 months ago

Hmm, this is a tricky one. I'm not totally sure about the details of these different risk assessment methods. I'll have to try to recall the main features of each one and see which one fits the description best.

upvoted 0 times

...

Gayla

2 months ago

This looks like a question on risk assessment methods. I think I remember learning about OCTAVE-S, MEHARI, and TRA in class. I'll need to think through the key steps of each one to determine which one matches the description.

upvoted 0 times

...