# Risk Response Strategies Backlink: [[Domain 1 - Index]] **Definition:** The four classic treatments for risk: avoid, transfer, mitigate, accept (and sometimes share). ## Key Facts - Avoid: eliminate activity/source (e.g., don’t store PII). - Transfer: shift impact via insurance, contracts, cloud SLAs. - Mitigate: reduce likelihood/impact with controls. - Accept: informed decision; document and monitor within tolerance. - Share: distribute across partners (joint venture). - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Select best response given constraints - Identify when acceptance is appropriate >[!note] **Mnemonic** - “All Turtles Move Ahead.” ### Example Q: Legacy app risk cannot be fixed; data noncritical. Action? A: Accept (with monitoring) if within tolerance. ## Revision Checklist - [ ] Define each response - [ ] Give one example per response - [ ] Tie response to appetite/tolerance - [ ] Note residual risk ownership ## Related [[Risk Management Process]] · [[Service Level Agreements and Contracts]] · [[Security Control Types]] · [[Quantitative Risk Assessment]] · [[Third-Party and Supplier Risk Management]] #cisSP #domain-1 #concept