Skip to content
CQ
CertifyQuiz

Quick review

Quick review: Risk Management – ISC2 CC

This review sheet helps you go over the fundamental concepts of risk management before taking the quiz on the Risk Management topic.

🚀 Start quiz← Back to topic

What you really need to know

Risk management is the process by which an organization identifies, assesses and treats risks that can harm systems, data, people, processes or services.

For ISC2 CC, you need to understand that security is not only about blocking threats, but about reducing risk to a level that is acceptable for the organization. Not all risks can be eliminated: some are mitigated, others accepted, transferred or avoided.

Key concepts

  • Asset: something that has value for the organization, such as data, systems, applications or services.
  • Threat: an event or actor that can cause harm.
  • Vulnerability: a weakness that can be exploited by a threat.
  • Risk: the possibility that a threat exploits a vulnerability and causes an impact.
  • Impact: negative consequence if the risk materializes.
  • Likelihood: possibility that an event will occur.
  • Residual risk: risk that remains after controls have been applied.
  • Mitigation: reduction of risk through controls.
  • Acceptance: conscious decision to tolerate a risk.
  • Transfer: partial shifting of risk, for example through insurance or outsourcing.
  • Avoidance: elimination of the activity that creates the risk.

Differences not to confuse

ConceptMain meaning
AssetResource to protect
ThreatSomething that can cause harm
VulnerabilityExploitable weakness
RiskLikelihood and impact of a harmful event
ImpactDamage or negative consequence
LikelihoodPossibility that it will occur
Residual riskRisk remaining after controls
MitigationRisk reduction
AcceptanceConsciously tolerating the risk
TransferShifting part of the risk
AvoidanceEliminating the risky activity

Assets, threats and vulnerabilities

Risk management starts from assets. An asset can be a database, a server, an application, a privileged account, a network, a cloud service or sensitive information.

A threat can be an attacker, malware, human error, technical failure, fire, loss of connectivity or a compromised supplier.

A vulnerability is a weakness that makes harm possible or more likely: weak passwords, unpatched systems, misconfigurations, lack of backups, excessive access or lack of training.

Risk arises when a threat can exploit a vulnerability on an important asset.

Likelihood and impact

Risk is often assessed by combining likelihood and impact.

Likelihood indicates how possible it is that an event will occur.

Impact indicates how serious the damage would be if the event occurred.

A very likely event with low impact may be less critical than a rare event with very high impact. This is why risk management must consider both dimensions.

Risk assessment

Risk assessment is the evaluation of risk. It is used to understand which risks exist, how relevant they are and which priorities should be assigned.

A simple process may include:

  • identifying assets;
  • identifying threats and vulnerabilities;
  • estimating likelihood and impact;
  • evaluating the level of risk;
  • deciding which controls to apply;
  • documenting and monitoring risk over time.

For ISC2 CC, you need to remember that risk assessment helps make risk-based decisions, not decisions based only on perception or fear.

Risk treatment

After assessing a risk, you need to decide how to treat it. The main strategies are:

  • mitigate;
  • accept;
  • transfer;
  • avoid.

These options are very common in quizzes.

Risk mitigation

Mitigating means reducing risk by applying controls.

Examples:

  • applying patches;
  • using MFA;
  • configuring firewalls;
  • making backups;
  • training users;
  • segmenting the network;
  • monitoring access;
  • removing excessive privileges.

Mitigation does not always eliminate risk. Often, it reduces it to a more acceptable level.

Risk acceptance

Accepting a risk means consciously deciding to tolerate it.

This choice may make sense when:

  • the risk is low;
  • the cost of the control is too high;
  • the impact is limited;
  • the organization decides that the residual risk is acceptable.

Warning: accepting a risk does not mean ignoring it. It must be a conscious, documented and approved decision.

Risk transfer

Transferring a risk means shifting part of it to an external party.

Examples:

  • cyber insurance;
  • outsourcing;
  • supplier contracts;
  • managed services;
  • responsibility agreements.

Transfer does not completely eliminate risk. Even if a supplier manages a service, the organization remains responsible for its own security and data protection.

Risk avoidance

Avoiding a risk means eliminating the activity that creates it.

Example: if an obsolete application exposes sensitive data and cannot be adequately protected, the organization may decide to decommission it.

Avoidance can be effective, but it is not always possible, because some activities are necessary for the business.

Residual risk

Residual risk is the risk that remains after controls have been applied.

Example:

  • initial risk: unauthorized access to corporate accounts;
  • applied control: MFA;
  • residual risk: advanced phishing, session theft or human error.

The key point is that security reduces risk, but rarely brings it to zero.

Common quiz mistakes

  • Confusing threat, vulnerability and risk.
  • Thinking that risk can always be completely eliminated.
  • Confusing mitigation and transfer.
  • Thinking that accepting a risk means ignoring it.
  • Forgetting that residual risk remains even after controls.
  • Thinking that risk transfer eliminates all responsibility.
  • Assessing risk only based on likelihood without considering impact.
  • Forgetting that risk management must be documented and reviewed.

Mini exam scenario

A company discovers that an old server contains sensitive data and no longer receives security updates. It decides to replace it with a supported system and migrate the data.

This is a form of risk mitigation, because the organization reduces the likelihood of compromise by applying a more secure solution.

If instead it decided to permanently shut down the service because it was no longer needed, that would be an example of risk avoidance.

Mini checklist before the quiz

Before starting the quiz, you should be able to explain:

  • what risk means;
  • the difference between threat and vulnerability;
  • what likelihood and impact are;
  • what risk assessment means;
  • what it means to mitigate a risk;
  • when a risk can be accepted;
  • what it means to transfer a risk;
  • what it means to avoid a risk;
  • what residual risk indicates;
  • why risks must be monitored over time.

FAQ

What does risk management mean?

It means identifying, assessing and treating risks that can harm systems, data, people, processes or services.

What is the difference between threat, vulnerability and risk?

A threat can cause harm. A vulnerability is an exploitable weakness. Risk arises when a threat can exploit a vulnerability and cause an impact.

Can risk be completely eliminated?

Not always. Controls often reduce risk to an acceptable level, but residual risk still remains.

What does it mean to mitigate a risk?

It means reducing risk by applying controls, such as MFA, patching, backups, firewalls, training or segmentation.

What does it mean to accept a risk?

It means consciously deciding to tolerate a risk, usually because it is low or because the cost of the control is not justified.

Does risk transfer eliminate all responsibility?

No. Transferring a risk, for example through insurance or outsourcing, does not completely eliminate the organization's responsibility.

What is residual risk?

It is the risk that remains after controls or security measures have been applied.

Now test what you reviewed

After the review, start the quiz to check whether you really understand the key concepts.

🚀 Start quiz