Domain 2: Information Security Risk Management Module 9 of 47

Risk Assessment and Analysis

CISM Domain 2 — Information Security Risk Management A — Information Security Risk Assessment 10–12 minutes

What the Exam Is Really Testing

The exam zeroes in on one idea:

Risk assessment is a structured process for evaluating likelihood, impact, and residual exposure — aligned with enterprise objectives.

The exam evaluates whether you can:

  • Distinguish inherent vs residual risk
  • Evaluate likelihood realistically
  • Assess business impact properly
  • Document and communicate risk clearly
  • Integrate findings into governance processes

Risk analysis is about decision support — not math.

The Executive Mindset Shift

Practitioner default:

High severity equals high priority.

Executive perspective:

Risk priority = Likelihood × Business Impact × Context.

Security leaders must:

  • Consider exploitability
  • Evaluate control effectiveness
  • Align with risk appetite
  • Account for regulatory exposure
  • Understand business dependency

A technically severe issue may not be enterprise-critical.

Inherent vs Residual Risk

Inherent Risk

Risk before controls are applied.

This answers:

If nothing mitigated this risk, how bad would it be?

Residual Risk

Risk remaining after controls are applied.

This answers:

Given our current control environment, what exposure remains?

CISM frequently tests whether you assess residual risk — not just inherent severity.

Qualitative vs Quantitative Analysis

Qualitative

  • High / Medium / Low
  • Impact categories
  • Scenario-driven

Often used in strategic decision-making.

Quantitative

  • Financial estimation
  • Loss expectancy modeling
  • Statistical probability

CISM expects understanding of when each is appropriate — not advanced calculation.

Most enterprise-level analysis is hybrid.

Likelihood Evaluation

Likelihood depends on:

  • Threat capability
  • Vulnerability exposure
  • Control maturity
  • Historical incident data
  • Industry trends

Likelihood is not guesswork.

It must be supported by evidence.

Impact Evaluation

Impact includes:

  • Financial loss
  • Reputational damage
  • Regulatory penalties
  • Operational disruption
  • Strategic objective impairment

CISM prioritizes business impact over technical disruption.

Pattern Recognition

When risk assessment appears in a scenario, ask:

  1. Has likelihood been evaluated?
  2. Has business impact been assessed?
  3. Are controls considered?
  4. Is residual risk documented?
  5. Is escalation aligned with risk appetite?

Correct answers often involve:

  • Formal risk assessment
  • Documentation in risk register
  • Evaluation of control effectiveness
  • Reporting to appropriate stakeholders

Not:

  • Immediate remediation without assessment
  • Ignoring residual risk
  • Focusing solely on technical severity
  • Overreacting without structured evaluation

Trap Pattern

Common wrong instincts:

  • “High vulnerability score = high enterprise risk”
  • “Fix everything immediately”
  • “Ignore low-likelihood high-impact scenarios”
  • “Assume controls eliminate risk entirely”

CISM prioritizes structured, contextual analysis.

Scenario Practice

Question 1

A critical system has a known vulnerability. Existing controls significantly reduce exploitability.

What should the information security manager assess FIRST?

A. Replace the system
B. Residual risk considering current controls
C. Notify regulators
D. Terminate vendor relationship

Answer & reasoning

Correct: B

Risk must be evaluated in context of control effectiveness.

Residual risk determines priority.

Question 2

A risk assessment identifies a low-likelihood but high-impact scenario involving regulatory penalties.

What is the MOST appropriate next step?

A. Ignore the scenario
B. Implement emergency remediation
C. Document the risk and escalate according to governance process
D. Publicly disclose exposure

Answer & reasoning

Correct: C

High-impact scenarios must be documented and escalated even if likelihood is low.

Question 3

A vulnerability scan reports hundreds of high-severity findings. Business impact analysis shows minimal exposure.

What is the MOST appropriate action?

A. Prioritize all high-severity findings equally
B. Replace affected systems
C. Increase monitoring frequency
D. Conduct contextual risk analysis aligned with business impact

Answer & reasoning

Correct: D

Risk priority is based on business impact, not scan volume.

Question 4

After implementing new controls, a risk remains above acceptable thresholds.

What should occur NEXT?

A. Ignore residual exposure
B. Reassess mitigation options or escalate for formal risk acceptance
C. Accept the risk without documentation
D. Decommission the system

Answer & reasoning

Correct: B

Residual risk exceeding appetite must trigger additional mitigation or formal acceptance.

Question 5

Leadership questions the accuracy of qualitative risk ratings.

What strengthens risk assessment credibility?

A. Incorporating historical data and documented evaluation criteria
B. Increasing vulnerability scanning
C. Purchasing new tools
D. Reducing assessment frequency

Answer & reasoning

Correct: A

Risk analysis must be supported by documented methodology and evidence.

Key Takeaway

In CISM:

Risk = Likelihood + Impact + Context.
Controls reduce risk — they do not eliminate it.
Residual risk drives governance decisions.

When assessing risk:

  • Evaluate exposure.
  • Consider business impact.
  • Assess control effectiveness.
  • Document findings.
  • Align with risk appetite.

Structured analysis over gut feel. The exam rewards that every time.

Related Modules

CISM Domain 2 — Information Security Risk Management Risk Treatment / Risk Response Options CRISC Domain 2 — Risk Assessment Risk Assessment Concepts, Standards & Frameworks
Up Next Section A Review: Information Security Risk Assessment