# Qualitative Risk Assessment Backlink: [[Domain 1 - Index]] **Definition:** Subjective evaluation of risk using categories, ratings, and narrative analysis. ## Key Facts - Uses scales (Low/Med/High) for likelihood and impact. - Produces heat maps and prioritized risk lists. - Facilitates workshops, expert judgment, scenario analysis. - Good for early-stage or scarce data; faster than quantitative. - Define criteria to reduce bias; use weighted scoring if needed. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Appropriate when data is limited or time-constrained - Interpreting heat maps and prioritization choices >[!note] **Mnemonic** - “Quick but Qualified.” ### Example Q: Team rates a risk as High/Medium. What’s missing? A: Defined scale criteria. ## Revision Checklist - [ ] List pros/cons vs. quantitative - [ ] Define scale criteria - [ ] Explain heat map use - [ ] Describe when to choose qualitative ## Related [[Quantitative Risk Assessment]] · [[Risk Management Process]] · [[Risk Terminology]] · [[Security Metrics, KPIs, and KRIs]] · [[Risk Appetite and Tolerance]] #cisSP #domain-1 #concept