Residual risk is the risk that remains after security controls have been applied. No control eliminates risk entirely. Residual risk must be formally accepted by senior management before a system goes into production.
Documenting residual risk is not a sign of security failure. It is evidence of a mature risk management program. Organizations that quantify residual risk can make informed decisions about whether additional investment is justified.
CISSP Relevance
Residual risk is a foundational concept in Domain 1 (Security and Risk Management). CISSP candidates must understand the relationship between threats, vulnerabilities, controls, and residual risk, as well as the formal risk acceptance process.
External reference: NIST Glossary Residual Risk
Related terms: Risk Management, Risk Assessment