# Risk Management Lifecycle One-sentence definition: Ongoing process to identify, analyze, respond to, monitor, and communicate risk to achieve objectives. ## Key Facts - Steps: context → identify → assess → respond → monitor/report → improve. - Inputs: assets, threats, vulnerabilities, controls, business impact. - Outputs: risk register, treatment plans, metrics (KPIs/KRIs). - Communication: to owners/leadership for acceptance or treatment. - Iterative: revisit after changes (tech, threats, compliance). - Aligns with ISO 31000, ISO 27005, NIST RMF (see Part B). - **Label:** **Continuous** cycle integrated with strategy and projects. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Recognize correct next steps and artifacts in lifecycle scenarios. **Mnemonic:** “I ARM It” → Identify, Assess, Respond, Monitor, Improve, tell (communicate). ## Mini Scenario Q: After selecting controls, what’s next? A: Implement, then monitor effectiveness and update the risk register. ## Revision Checklist - Name each phase and a key output. - Identify who accepts residual risk. - Explain when to re-assess. ## Related [[Threat vs Vulnerability vs Risk]] · [[Risk Assessment: Qualitative vs Quantitative]] · [[Risk Response Strategies]] · [[Risk Register and Reporting]] · [[Security Metrics, KPIs, KRIs]] · [[Domain 1 - Index]]