🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 2.2 - Understand & Apply Risk Management Concepts (Part 5 of 5)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series completes the Domain 1 risk management journey by covering how you sustain and mature the program over time. Part 5 of 5 focuses on keeping risk work alive — verifying controls, reporting to the right audiences, improving continuously, retiring what has aged out, and following the frameworks that guide the whole cycle.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

How do you formally assess your controls?

Through a security control assessment — a formal evaluation of each security mechanism against a baseline or reliability expectation. Its goals are to confirm the controls are effective, judge the quality of your risk processes, and produce a report of strengths and weaknesses. A good assessment also weighs privacy, because a control can either protect or accidentally erode it.

How should you report risk, and to whom?

Through internal and external reporting, each with a different audience. Internal reporting serves executives, managers, and staff with detailed views of risk exposure, controls, and effectiveness, often through registers, heat maps, and key risk indicators. External reporting serves regulators, investors, and the public with higher-level disclosure of the organization’s risk profile and practices — and a good risk report is accurate, timely, complete, and updated regularly.

How do you gauge how mature your risk program is?

With a risk maturity model, which assesses the key indicators of a repeatable, sustainable risk process across five levels. Ad hoc is a chaotic starting point, preliminary shows loose and inconsistent attempts, and defined means a common framework is adopted organization-wide. Integrated weaves risk management into business processes and measures it, and optimized means the program drives strategy and feeds lessons learned back in.

What risk hides in aging systems?

Legacy risk, driven by devices that are end of life or end of support. A product reaches end of life when the manufacturer stops making it, while end of support, or end of service life, means no more updates or patches from the vendor. Running such a system is dangerous because any future vulnerability will never be fixed, and the security effort to protect it usually dwarfs the cost of replacing it.

Which frameworks guide the whole process?

A risk framework is a recipe for how risk is assessed, resolved, and monitored. NIST offers two: the risk management framework sets mandatory requirements for federal agencies and runs as a seven-phase cycle — prepare, categorize, select, implement, assess, authorize, and monitor, with the last six repeating. The cybersecurity framework targets critical infrastructure and commercial organizations, built on six functions — identify, protect, detect, respond, recover, and govern — and standards like the ISO 31000 family add high-level guidance any organization can use.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 2.2 - Understand & Apply Risk Management Concepts (Part 5 of 5).