A.Change control documentation

B.IT risk register

C.Risk profile

D.Audit engagement letter

A.helps in calculating the expected cost of controls

B.can be used to determine the indirect business impact.

C.uses qualitative risk rankings such as low. medium and high.

D.can be used m a cost-benefit analysts

A.Include information security control specifications in business cases.

B.Identify key risk indicators (KRIs) as process output.

C.Design key performance indicators (KPIs) for security in system specifications.

D.Identify information security controls in the requirements analysis

A.risk appetite and control efficiency.

B.residual risk and cost of control.

C.inherent risk and control effectiveness.

D.risk tolerance and control complexity.

A.Identify conditions that may cause disruptions.

B.Review incident response procedures.

C.Evaluate the probability of risk events.

D.Define metrics for restoring availability.