Risk Management is the ongoing process of identifying, assessing, and responding to risks that could impact organizational objectives. In information security, this means understanding threats to assets, evaluating vulnerabilities that could be exploited, and implementing controls to reduce risk to acceptable levels.
Risk responses include avoidance (eliminating the activity), mitigation (reducing likelihood or impact), transfer (insurance or outsourcing), and acceptance (acknowledging the risk without action). The choice depends on risk appetite, cost of controls, and business requirements.
CISSP Relevance
Domain 1 (Security and Risk Management) covers risk management extensively. Expect questions on risk assessment methodologies, quantitative versus qualitative analysis, risk treatment options, and how to communicate risk to stakeholders. Understanding risk as the basis for security decisions is fundamental to CISSP thinking.
The authoritative framework is NIST SP 800-37 Risk Management Framework.
Related terms: Risk Assessment, Threat