nerdexam
(ISC)2

CISSP · Question #333

What are the steps of a risk assessment?

The correct answer is A. identification, analysis, evaluation. A formal risk assessment follows a structured three-step process defined by standards such as ISO 31000 and NIST SP 800-30: identification, analysis, and evaluation.

Submitted by valeria.br· Mar 5, 2026Security and Risk Management

Question

What are the steps of a risk assessment?

Options

  • Aidentification, analysis, evaluation
  • Banalysis, evaluation, mitigation
  • Cclassification, identification, risk management
  • Didentification, evaluation, mitigation

How the community answered

(27 responses)
  • A
    93% (25)
  • C
    4% (1)
  • D
    4% (1)

Why each option

A formal risk assessment follows a structured three-step process defined by standards such as ISO 31000 and NIST SP 800-30: identification, analysis, and evaluation.

Aidentification, analysis, evaluationCorrect

According to ISO 31000 and NIST SP 800-30, the risk assessment process consists of risk identification (finding and describing risks), risk analysis (understanding the nature, likelihood, and impact of risks), and risk evaluation (comparing analysis results against risk criteria to prioritize). These three steps form the distinct assessment phase, which is separate from broader risk treatment or mitigation activities.

Banalysis, evaluation, mitigation

This choice skips the identification step, which is the foundational first step where risks are discovered and cataloged; without identification, there is nothing to analyze or evaluate.

Cclassification, identification, risk management

Classification and risk management are not the defined steps of a risk assessment; classification may be part of asset management, and risk management is the broader overarching process that encompasses assessment, not a step within it.

Didentification, evaluation, mitigation

Mitigation (risk treatment) is a step that occurs after the risk assessment is complete, not a step within the assessment itself; substituting mitigation for analysis omits the critical analytical phase.

Concept tested: Formal risk assessment process steps

Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Topics

#risk assessment#risk management process

Community Discussion

No community discussion yet for this question.

Full CISSP Practice