nerdexam
(ISC)2

CISSP-ISSEP · Question #144

The phase 3 of the Risk Management Framework (RMF) process is known as mitigation planning. Which of the following processes take place in phase 3? Each correct answer represents a complete solution.

The correct answer is A. Agree on a strategy to mitigate risks. B. Evaluate mitigation progress and plan next assessment. D. Document and implement a mitigation plan.. Phase 3 of the RMF (Mitigation Planning) centers on responding to identified risks - which means agreeing on a strategy (A), documenting and implementing the actual mitigation plan (D), and then evaluating progress to inform the next round (B) are all core activities of this phas

Risk Management

Question

The phase 3 of the Risk Management Framework (RMF) process is known as mitigation planning. Which of the following processes take place in phase 3? Each correct answer represents a complete solution. Choose all that apply.

Options

  • AAgree on a strategy to mitigate risks.
  • BEvaluate mitigation progress and plan next assessment.
  • CIdentify threats, vulnerabilities, and controls that will be evaluated.
  • DDocument and implement a mitigation plan.

How the community answered

(43 responses)
  • A
    91% (39)
  • C
    9% (4)

Explanation

Phase 3 of the RMF (Mitigation Planning) centers on responding to identified risks - which means agreeing on a strategy (A), documenting and implementing the actual mitigation plan (D), and then evaluating progress to inform the next round (B) are all core activities of this phase. Option B fits here because tracking mitigation progress and scheduling the next assessment is part of closing the loop within the mitigation planning cycle, not a separate phase. These three options together represent the full arc of mitigation: plan, execute, and review.

Why C is wrong: Identifying threats, vulnerabilities, and controls belongs to Phase 2 (Risk Assessment), not Phase 3. By the time you reach mitigation planning, that identification work is already done - you're now acting on it.

Memory tip: Think of Phase 3 as "APD" - Agree, Plan/implement, Done-checking (evaluate progress). If an activity sounds like discovery (finding threats, identifying controls), it's Phase 2. If it sounds like action and follow-through, it's Phase 3.

Topics

#Risk Management Framework (RMF)#Mitigation Planning#Risk Treatment#Security Controls

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice