nerdexam
(ISC)2

CISSP · Question #688

A security professional is assessing the risk in an application and does not take into account any mitigating or compensating controls. This type of risk rating is an example of which of the following

The correct answer is B. Inherent risk. Inherent risk is the risk that exists in an application or a system before applying any mitigating or compensating controls. Inherent risk represents the worst-case scenario of the potential impact and likelihood of a threat exploiting a vulnerability. Inherent risk is usually as

Submitted by saadiq_pk· Mar 5, 2026Security and Risk Management

Question

A security professional is assessing the risk in an application and does not take into account any mitigating or compensating controls. This type of risk rating is an example of which of the following?

Options

  • ATransferred risk
  • BInherent risk
  • CResidual risk
  • DAvoided risk

How the community answered

(53 responses)
  • A
    8% (4)
  • B
    87% (46)
  • C
    2% (1)
  • D
    4% (2)

Explanation

Inherent risk is the risk that exists in an application or a system before applying any mitigating or compensating controls. Inherent risk represents the worst-case scenario of the potential impact and likelihood of a threat exploiting a vulnerability. Inherent risk is usually assessed by using qualitative or quantitative methods, such as risk matrices, risk scales, or risk formulas. Inherent risk helps to identify the areas that need the most attention and resources, and to prioritize the implementation of controls. Inherent risk is different from residual risk, which is the risk that remains after applying the controls, and from transferred risk, which is the risk that is shifted to another party, such as an insurance company or a service provider. Inherent risk is also different from avoided risk, which is the risk that is eliminated by not performing an activity or by changing the scope or objectives of the activity.

Topics

#risk assessment#inherent risk#risk management

Community Discussion

No community discussion yet for this question.

Full CISSP Practice