CISSP · Question #333
What are the steps of a risk assessment?
The correct answer is A. identification, analysis, evaluation. A formal risk assessment follows a structured three-step process defined by standards such as ISO 31000 and NIST SP 800-30: identification, analysis, and evaluation.
Question
What are the steps of a risk assessment?
Options
- Aidentification, analysis, evaluation
- Banalysis, evaluation, mitigation
- Cclassification, identification, risk management
- Didentification, evaluation, mitigation
How the community answered
(27 responses)- A93% (25)
- C4% (1)
- D4% (1)
Why each option
A formal risk assessment follows a structured three-step process defined by standards such as ISO 31000 and NIST SP 800-30: identification, analysis, and evaluation.
According to ISO 31000 and NIST SP 800-30, the risk assessment process consists of risk identification (finding and describing risks), risk analysis (understanding the nature, likelihood, and impact of risks), and risk evaluation (comparing analysis results against risk criteria to prioritize). These three steps form the distinct assessment phase, which is separate from broader risk treatment or mitigation activities.
This choice skips the identification step, which is the foundational first step where risks are discovered and cataloged; without identification, there is nothing to analyze or evaluate.
Classification and risk management are not the defined steps of a risk assessment; classification may be part of asset management, and risk management is the broader overarching process that encompasses assessment, not a step within it.
Mitigation (risk treatment) is a step that occurs after the risk assessment is complete, not a step within the assessment itself; substituting mitigation for analysis omits the critical analytical phase.
Concept tested: Formal risk assessment process steps
Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.