# Risk Management Process Backlink: [[Domain 1 - Index]] **Definition:** A structured cycle to identify, analyze, respond to, and monitor risks to achieve objectives within appetite. ## Key Facts - Steps: context → identification → analysis/assessment → response → monitoring/reporting. - Integrates qualitative and quantitative methods. - Produces risk register with owners, treatments, and residual risk. - Consider inherent vs. residual risk and control effectiveness. - Review triggers: changes in assets, threats, regulations, incidents. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Pick the next best step in process-based scenarios - Distinguish inherent vs. residual risk and treatment options >[!note] **Mnemonic** - “Identify, Assess, Act, Monitor (IAAM).” ### Example Q: After selecting mitigation controls, what next? A: Implement/monitor and update the risk register (residual risk). ## Revision Checklist - [ ] Name core steps in order - [ ] Define inherent vs. residual risk - [ ] List the 4 responses - [ ] Know the purpose of a risk register ## Related [[Risk Terminology]] · [[Risk Response Strategies]] · [[Qualitative Risk Assessment]] · [[Quantitative Risk Assessment]] · [[Security Metrics, KPIs, and KRIs]] #cisSP #domain-1 #concept