PECB ISO-IEC-27005-Risk-Manager Exam - Topic 4 Question 28 Discussion

Actual exam question for PECB's ISO-IEC-27005-Risk-Manager exam

Question #: 28
Topic #: 4

[All ISO-IEC-27005-Risk-Manager Questions]

Which of the following risk assessment methods provides an information security risk assessment methodology and involves three phases build asset-based threat profiles, identify infrastructure vulnerabilities, and develop security strategy and plans?

AOCTAVE-S

BMEHARI

CTRA

Show Suggested Answer

Suggested Answer: A

OCTAVE-S (Operationally Critical Threat, Asset, and Vulnerability Evaluation for Small Organizations) is a risk assessment methodology tailored for small organizations. It provides a structured approach for identifying and managing information security risks. The OCTAVE-S method involves three main phases:

Building asset-based threat profiles, where critical assets and their associated threats are identified.

Identifying infrastructure vulnerabilities by assessing the organization's technological infrastructure for weaknesses that could be exploited by threats.

Developing security strategy and plans to address the identified risks and improve the overall security posture.

The OCTAVE-S method aligns with the description provided in the question, making it the correct answer. MEHARI and TRA are other risk assessment methods, but they do not specifically follow the three phases outlined above.

by Coleen at Apr 07, 2026, 03:05 AM

Limited Time Offer

25%

Off

Get Premium ISO-IEC-27005-Risk-Manager Questions as Interactive Web-Based Practice Test or PDF