🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 2.2 - Understand & Apply Risk Management Concepts (Part 2 of 5)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the Domain 1 walk through risk management, moving into assessment and analysis. Part 2 of 5 looks at who owns the process, the standards of care behind it, and the two ways risk is actually measured — turning security instinct into evidence that leadership can fund with confidence.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

Who actually owns risk management?

Upper management does. They initiate and support the effort by defining its scope and purpose, and they make the final call on which responses get implemented. The heavy lifting — the analysis and response modeling — is usually delegated to a team from the security and IT departments who submit a proposal, but every result and decision must be understood and approved at the top. That approval is a core part of demonstrating due care.

What separates prudent action from reasonable action?

The standard of care each one sets. Reasonable action is what an ordinary, sensible person would do in the same situation — the baseline that shows you met your duty of care. Prudent action goes further, marked by extra caution, foresight, and precautions beyond the ordinary, and in court prudent choices offer stronger protection when a higher standard is expected.

How do qualitative and quantitative analysis differ?

By whether they use numbers or judgment. Quantitative analysis assigns real dollar figures through mathematical calculation, producing hard values for loss and countermeasure cost, while qualitative analysis assigns subjective ratings based on perception, experience, and intuition using techniques like brainstorming, surveys, checklists, focus groups, and scenarios. Neither alone gives the full picture, so most organizations blend them into a hybrid.

What makes the Delphi technique special?

It strips away bias by keeping responses anonymous. Participants give feedback privately, results are compiled and shared back to the group, and the cycle repeats until they reach consensus. Because no one knows who said what, ideas get judged on merit rather than on the rank or reputation of the person proposing them.

How do the quantitative formulas fit together?

You assign each asset a dollar value, then calculate the exposure factor — the percentage of the asset you would lose if a threat were realized. Single loss expectancy equals asset value times exposure factor: a database worth two hundred thousand dollars with a forty-five percent exposure factor gives a single loss expectancy of ninety thousand dollars. The annualized rate of occurrence is how often you expect the threat in a year, and annualized loss expectancy equals single loss expectancy times that rate — sorting risks by this figure tells you exactly where to start.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 2.2 - Understand & Apply Risk Management Concepts (Part 2 of 5).