Domain 6 of 6 · Chapter 4 of 5

Enterprise Risk Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • Who owns the risk: the four data-handling roles
  • The risk-management lifecycle and the frameworks behind it
  • Treating the risk: the five options, appetite, and residual risk
  • Assessing provider risk and meeting transparency duties
  • Exam-pattern recognition

The five risk treatments and when each is the right call

TreatmentWhat you doCloud exampleResidual risk left
AvoidStop the risky activity entirelyKeep regulated data on-prem rather than move it to a non-compliant regionNone from this activity (but lost benefit)
MitigateAdd controls to cut likelihood or impactEncrypt data at rest and add CASB monitoring before migratingReduced; whatever the controls cannot cover
TransferShift the financial consequence to a third partyBuy cyber-insurance covering breach-response costThe non-financial impact (reputation, duty) stays with you
ShareSplit ownership of the risk with another partyProvider runs physical and hypervisor controls under the shared-responsibility modelYour half of the split, plus provider-failure risk
AcceptKnowingly retain the risk, no further actionTolerate a low-impact regional-latency risk within appetiteThe full risk, formally signed off by the owner

Decision tree

New cloud risk assessedActivity worth its risk?AvoidNoResidual within appetite?YesAccept (sign off)YesMove cost or own a control?No, too highTransferinsure the costmove costSharesplit w/ providerMitigateadd controlsown a control

Cheat sheet

  • Moving to the cloud outsources the work, never the accountability
  • The data owner is the controller; the custodian is the processor
  • A processor that picks its own purpose becomes a controller
  • Every assessed risk gets exactly one of five treatments
  • Transfer moves the cost; it does not move the duty
  • Buying insurance is transfer, not acceptance
  • Acceptance is only legitimate when the owner records and signs off
  • The cloud shared-responsibility model is risk sharing
  • No treatment reaches zero; what remains is residual risk
  • Risk appetite is enterprise-wide; risk tolerance is the per-objective threshold
  • A treatment is acceptable only if residual risk stays within tolerance
  • ISO 31000 is the generic risk-management process; NIST RMF is the control lifecycle
  • NIST RMF runs seven steps ending in Authorize and looping through Monitor
  • Risk is likelihood times impact
  • Assess the provider against a framework, then verify with independent attestation
  • GDPR requires breach notification within 72 hours of awareness
  • SOX puts cloud financial systems in internal-control-reporting scope
  • Transparency duties are the owner's, so they become provider contract terms
  • Assess the risk environment across service, vendor, infrastructure, and business
  • Vendor-neutral frameworks beat a single CSP's proprietary tool
  • MTD equals RTO plus WRT, and a cloud SLA must be aligned to the MTD
  • A cloud BIA must weigh CSP dependency and time-dependent impact
  • SaaS continuity relies on contractual SLAs plus independently extracted data backups
  • Multi-tenancy aggregates risk because a shared hypervisor is one common point of compromise
  • Concentrating critical workloads on one CSP creates a correlated single point of failure
  • Supply-chain (Nth-party) concentration hides when separate vendors share one underlying provider
  • Unclear shared-responsibility boundaries create control gaps neither party covers
  • Moving IaaS to SaaS trades direct technical control for reliance on contracts and assurance

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. ISC2 CCSP Certification Exam Outline
  2. GDPR Article 4 — Definitions (controller, processor, data subject)
  3. ISO 31000:2018 — Risk management — Guidelines Whitepaper
  4. NIST SP 800-37 Rev. 2 — Risk Management Framework for Information Systems and Organizations Whitepaper
  5. FIPS 199 — Standards for Security Categorization of Federal Information and Information Systems Whitepaper
  6. NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations Whitepaper
  7. COSO Enterprise Risk Management — Integrating with Strategy and Performance Whitepaper
  8. ISACA Risk IT Framework Whitepaper
  9. NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments Whitepaper
  10. https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps
  11. ISO/IEC 27017:2015 — Code of practice for information security controls for cloud services Whitepaper
  12. ISO/IEC 27018:2019 — Protection of personally identifiable information (PII) in public clouds Whitepaper
  13. https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement
  14. CSA STAR Registry
  15. https://us.aicpa.org/research/standards/auditattest/ssae
  16. GDPR Article 33 — Notification of a personal data breach to the supervisory authority
  17. https://pcaobus.org/oversight/standards/auditing-standards