Enterprise Risk Management
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.
Included in this chapter:
- Who owns the risk: the four data-handling roles
- The risk-management lifecycle and the frameworks behind it
- Treating the risk: the five options, appetite, and residual risk
- Assessing provider risk and meeting transparency duties
- Exam-pattern recognition
The five risk treatments and when each is the right call
| Treatment | What you do | Cloud example | Residual risk left |
|---|---|---|---|
| Avoid | Stop the risky activity entirely | Keep regulated data on-prem rather than move it to a non-compliant region | None from this activity (but lost benefit) |
| Mitigate | Add controls to cut likelihood or impact | Encrypt data at rest and add CASB monitoring before migrating | Reduced; whatever the controls cannot cover |
| Transfer | Shift the financial consequence to a third party | Buy cyber-insurance covering breach-response cost | The non-financial impact (reputation, duty) stays with you |
| Share | Split ownership of the risk with another party | Provider runs physical and hypervisor controls under the shared-responsibility model | Your half of the split, plus provider-failure risk |
| Accept | Knowingly retain the risk, no further action | Tolerate a low-impact regional-latency risk within appetite | The full risk, formally signed off by the owner |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- ISC2 CCSP Certification Exam Outline
- GDPR Article 4 — Definitions (controller, processor, data subject)
- ISO 31000:2018 — Risk management — Guidelines Whitepaper
- NIST SP 800-37 Rev. 2 — Risk Management Framework for Information Systems and Organizations Whitepaper
- FIPS 199 — Standards for Security Categorization of Federal Information and Information Systems Whitepaper
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations Whitepaper
- COSO Enterprise Risk Management — Integrating with Strategy and Performance Whitepaper
- ISACA Risk IT Framework Whitepaper
- NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments Whitepaper
- https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps
- ISO/IEC 27017:2015 — Code of practice for information security controls for cloud services Whitepaper
- ISO/IEC 27018:2019 — Protection of personally identifiable information (PII) in public clouds Whitepaper
- https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement
- CSA STAR Registry
- https://us.aicpa.org/research/standards/auditattest/ssae
- GDPR Article 33 — Notification of a personal data breach to the supervisory authority
- https://pcaobus.org/oversight/standards/auditing-standards