🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 2.2 - Understand & Apply Risk Management Concepts (Part 1 of 5)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series lays the groundwork for risk management in Domain 1. Part 1 of 5 introduces the discipline that turns every security decision into a defensible spending choice — what risk management is, how its process splits in two, the vocabulary it runs on, and where the whole effort begins.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What is risk management, and what is its real goal?

It is the disciplined process of finding what could harm your assets, weighing that against asset value and control cost, and applying cost-effective fixes — the first run produces the skeleton of your security policy. Its real goal is not zero risk, because that is impossible; the goal is to reduce risk to a level your organization can accept. Not all risk is technical: accidents, natural disasters, and civil unrest all belong on the list.

What are the two halves of the risk process?

Assessment and response. Risk assessment, also called risk analysis, examines the environment, judges how likely each threat is and how much damage it would do, and weighs the cost of countermeasures, producing a sorted, prioritized list of risks. Risk response then takes that list, evaluates safeguards through cost-benefit analysis, and proposes options to senior management — assessment is the diagnosis, response is the treatment plan.

What do the core risk terms actually mean?

An asset is anything your business relies on, and asset valuation is the value you assign it. A threat is any potential event that could harm an asset, a threat agent is who or what carries it out, and a threat event is the actual occurrence. A threat vector is the path used to reach a target, a vulnerability is the weakness that lets the threat succeed, and exposure is being susceptible to loss. Risk is the likelihood that a threat exploits a vulnerability combined with the severity of the damage, and a safeguard is the control that reduces it.

Why value your assets before anything else?

Because you cannot protect sensibly what you have not priced. An asset-based analysis starts by inventorying everything the organization owns and assigning each item a value, weighing tangible costs like replacement and intangible ones like customer trust. If an asset has no value it needs no protection, and a safeguard should never cost more than the asset it protects. Solid valuation also feeds cost-benefit analysis, insurance figures, and demonstrates due care against claims of negligence.

How do you build a complete list of threats?

By casting a wide net and using a team. Create an exhaustive list for every asset, covering both threat agents and threat events from any source imaginable — not just technology threats, since fire, flood, and human error all qualify. Published catalogs from standards bodies like NIST can seed the list, and a team drawn from many departments will name risks a network engineer would never think of. That diversity is what makes the list complete.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 2.2 - Understand & Apply Risk Management Concepts (Part 1 of 5).