The first step is to identify at-risk assets. Before an organization can assess impact, estimate damage, or evaluate likelihood, it must first determine which assets are exposed to the zero-day vulnerability. ISACA risk guidance emphasizes asset identification and security categorization as foundational steps in risk assessment. In other words, you cannot meaningfully assess risk until you know what systems, applications, or services are affected.
Option A is correct because scoping the exposure comes first. Once at-risk assets are identified, the organization can prioritize remediation and then evaluate impact and likelihood in a focused way. ISACA’s vulnerability and risk-related material supports risk-based prioritization built on asset visibility and understanding which systems are exposed.
Option B is not first because impact assessment depends on knowing which assets are vulnerable and how critical they are. Without that scope, impact analysis is incomplete.
Option C is also not first. Likelihood matters in risk analysis, but it comes after identifying the vulnerable environment and relevant exposure. ISACA’s risk discussions place likelihood estimation after identifying assets, threats, and vulnerabilities.
Option D is similar to impact assessment and likewise depends on first knowing which assets are in scope. Estimating damage without scoping exposure would be premature.
Therefore, A is the best answer because identifying the affected assets is the necessary first step in managing the impact of a newly discovered zero-day vulnerability.
References (Official ISACA):
ISACA Journal, IT Asset Valuation, Risk Assessment and Control Implementation Model — asset identification and categorization precede likelihood and impact assessment.
ISACA, Using a Risk-Based Approach to Prioritize Vulnerability Remediation — supports risk-based prioritization after exposure is understood.
ISACA, Fortifying the Operational Technology Sector: Battle-Tested Cyber Resilience Strategies — emphasizes identifying exploitable weaknesses and exposed assets.
ISACA Journal, Understanding Cybersecurity Risk — likelihood and impact are part of the risk model after threats/vulnerabilities are established.
