Domain 2: Information Security Risk Management Review — 13 of 47

Domain 2 – Section A Review: Information Security Risk Assessment

CISM Domain 2 — Information Security Risk Management Section A — Risk Assessment Review 10 Questions

This section integrates:

  • Emerging Risk and Threat Landscape
  • Vulnerability and Control Deficiency Analysis
  • Risk Assessment and Analysis

CISM tests whether you evaluate risk systematically before acting.

1. Emerging Risk Requires Structured Evaluation

Emerging threats include:

  • New technologies
  • Geopolitical shifts
  • Supply chain exposure
  • Industry attack trends
  • Regulatory changes

Correct response pattern:

  1. Assess enterprise exposure.
  2. Evaluate likelihood and impact.
  3. Integrate into formal risk assessment.
  4. Inform leadership if material.

CISM does not reward panic-driven investment.

2. Vulnerability ≠ Risk

A vulnerability becomes risk only when:

Threat + Vulnerability + Business Impact exist.

Severity scores alone do not determine priority.

Control deficiencies must be evaluated for:

  • Root cause
  • Governance weakness
  • Compensating controls
  • Residual exposure

Systemic failures matter more than isolated findings.

3. Risk Assessment Is Contextual

Risk assessment requires:

  • Likelihood evaluation
  • Impact analysis
  • Control effectiveness review
  • Residual risk calculation
  • Alignment with risk appetite

CISM prioritizes structured documentation and escalation.

4. Inherent vs Residual Risk

Inherent risk: before controls.
Residual risk: after controls.

Decisions are based on residual exposure.

If residual risk exceeds appetite, it must:

  • Be mitigated
  • Or formally accepted

Section A Decision Pattern

When unsure:

  1. Assess exposure first.
  2. Evaluate business impact.
  3. Consider control effectiveness.
  4. Document and escalate appropriately.
  5. Avoid immediate tactical reaction.

If an answer jumps straight to remediation — it is usually wrong.

Section A – Practice Questions

Question 1

Industry reports indicate a rise in attacks exploiting a new cloud misconfiguration. Your organization uses similar cloud architecture.

What should occur FIRST?

A. Conduct exposure assessment and risk analysis
B. Replace cloud providers
C. Implement emergency controls
D. Notify regulators

Answer & reasoning

Correct: A

Emerging threats require structured evaluation before remediation.

Question 2

A high-severity vulnerability is identified on a low-impact internal system.

What is the MOST appropriate action?

A. Immediate system replacement
B. Escalate to the board
C. Ignore the finding
D. Conduct business impact and residual risk assessment

Answer & reasoning

Correct: D

Severity must be evaluated in business context.

Question 3

Repeated audit findings show inconsistent patch management across departments.

What is the PRIMARY concern?

A. Vendor performance
B. Encryption strength
C. Automation level
D. Root cause governance failure

Answer & reasoning

Correct: D

Systemic control deficiencies indicate governance weakness.

Question 4

A new technology is introduced without security involvement. No incidents have occurred.

What is the MOST appropriate next step?

A. Ban the technology
B. Ignore until breach occurs
C. Conduct risk assessment and document findings
D. Purchase monitoring tools

Answer & reasoning

Correct: C

Emerging technology requires structured risk evaluation.

Question 5

A preventive control fails, but a detective control identifies the issue before impact.

What should be evaluated FIRST?

A. Root cause of preventive control failure and residual exposure
B. Eliminate detective controls
C. Replace system
D. Notify customers

Answer & reasoning

Correct: A

Control failure requires structured analysis of residual risk.

Question 6

A low-likelihood but high-impact regulatory risk is identified.

What is the MOST appropriate action?

A. Ignore due to low likelihood
B. Implement immediate emergency remediation
C. Document and escalate through governance process
D. Publicly disclose risk

Answer & reasoning

Correct: C

High-impact risks require governance documentation even if unlikely.

Question 7

Multiple high-severity vulnerabilities are reported, but compensating controls significantly reduce exposure.

What is the MOST appropriate approach?

A. Prioritize all equally
B. Conduct contextual residual risk assessment
C. Replace affected systems
D. Increase scanning frequency

Answer & reasoning

Correct: B

Residual risk determines prioritization.

Question 8

A competitor experiences a major third-party breach.

What is the MOST appropriate response?

A. Conduct targeted third-party risk assessment
B. Replace all vendors
C. Assume internal compromise
D. Notify regulators

Answer & reasoning

Correct: A

External incidents should trigger structured internal evaluation.

Question 9

Residual risk after mitigation exceeds defined risk appetite.

What must occur?

A. Ignore the excess exposure
B. Formal risk acceptance or additional mitigation
C. Immediate system shutdown
D. Reduce monitoring

Answer & reasoning

Correct: B

Risk exceeding appetite must be formally addressed.

Question 10

Leadership questions the consistency of risk ratings across departments.

What strengthens assessment reliability?

A. Increasing vulnerability scans
B. Standardized methodology and documented evaluation criteria
C. Purchasing new software
D. Reducing assessment scope

Answer & reasoning

Correct: B

Consistent methodology improves governance credibility.

Section A Pattern Summary

In Domain 2 Section A:

  • Emerging risk triggers assessment — not panic.
  • Vulnerability severity does not equal enterprise risk.
  • Control deficiencies require root cause analysis.
  • Residual risk drives decisions.
  • Documentation and escalation matter.

CISM evaluates structured judgment — not technical reaction.

Next Module Module 10: Risk Treatment / Risk Response Options