FlashGenius Logo FlashGenius
ISACA CRISC® · Domain 2 · 22% of Exam

CRISC: Risk Assessment

Risk Identification · Threat Modeling · BIA · Risk Register · ALE/SLE Formulas
150 Questions
4 Domains
22% This Domain
3-Year Credential
Domain 2 · Risk Assessment

Risk Assessment — The Analytical Engine of CRISC

Understanding how to identify, model, and quantify risk is the core competency of every CRISC candidate.

Risk Assessment is the analytical engine of CRISC — identifying threats and vulnerabilities, building risk scenarios, and quantifying likelihood and impact to produce a defensible risk score. Domain 2 accounts for 22% of the exam and directly feeds into risk response planning. Mastery here means understanding not just the formulas, but the judgments that connect risk analysis to business decisions.

Risk Identification

Systematically finding risk events through threat modeling, vulnerability scanning, and scenario workshops. Outputs feed the risk register and must be treated as an ongoing process — not a one-time exercise.

Threat vs Vulnerability vs Risk

Threat: a potential cause of harm (e.g., ransomware actor). Vulnerability: a weakness that can be exploited (e.g., unpatched system). Risk = Threat × Vulnerability × Impact. All three must be present for risk to exist.

Risk Scenario Development

Building realistic, specific IT risk scenarios (Actor + Threat Type + Asset + Impact) aligned to business objectives. Scenarios are the primary unit of CRISC risk analysis and are documented in the risk register.

Inherent vs Residual Risk

Inherent risk: raw risk before any controls. Residual risk: risk remaining after controls are applied. Target residual risk: the desired level (must align with risk appetite). Gap between residual and target triggers additional treatment.

Domain 2A & 2B

Core Concepts

Detailed coverage of Risk Identification and Risk Analysis subtopics.

Risk Identification (Domain 2A)

Risk Events

  • Risk event: a situation where a threat exploits a vulnerability and causes impact to a business objective
  • Categories: strategic, operational, financial, compliance, reputational
  • IT risk event examples: data breach, system outage, unauthorized access, ransomware, insider threat
  • Risk identification sources: past incidents, audit findings, vulnerability scans, threat intelligence, interviews, workshops
  • Risk identification must be ongoing — not a one-time exercise

Threat Modeling and Threat Landscape

  • Threat agent (actor): person or group with motive, means, and opportunity (external attacker, insider, nation-state)
  • Threat landscape: current external environment of threat agents and their tactics (informed by threat intelligence)
  • STRIDE model: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
  • PASTA (Process for Attack Simulation and Threat Analysis): risk-centric threat modeling methodology
  • Threat intelligence sources: ISACs, CISA alerts, vendor advisories, dark web monitoring
  • CRISC focus: linking threats to specific IT assets and business processes

Vulnerability Management

  • Vulnerability: a weakness in technology, process, or people that can be exploited by a threat
  • Technical vulnerabilities: unpatched software, misconfigured systems, weak credentials, legacy systems
  • Process vulnerabilities: missing controls, inadequate segregation of duties, no change management
  • Human vulnerabilities: lack of security awareness, social engineering susceptibility
  • Vulnerability identification methods: penetration testing, vulnerability scanning, code reviews, audits
  • CVSS (Common Vulnerability Scoring System): standard for rating technical vulnerability severity (0–10)

Risk Scenario Development and Evaluation

  • Risk scenario components: Threat Actor + Threat Type + Asset/Resource + Impact type
  • Example scenario: "An external attacker uses phishing to compromise a finance employee's credentials resulting in unauthorized wire transfers"
  • Scenarios must be tied to specific business objectives to be relevant
  • Scenario evaluation: assess likelihood and impact; produces risk score
  • Risk scenarios are documented in the risk register
  • ISACA recommends both top-down (from strategic objectives) and bottom-up (from assets/threats) approaches

Risk Analysis (Domain 2B)

Risk Assessment Concepts and Standards

  • Risk assessment: the overall process of identifying, analyzing, and evaluating risk
  • NIST SP 800-30: Guide for Conducting Risk Assessments — defines threat sources, events, vulnerabilities, likelihood, impact
  • ISO/IEC 27005: Information security risk management standard (aligned with ISO 27001)
  • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation): asset-centric risk methodology
  • FAIR (Factor Analysis of Information Risk): quantitative risk model — probability × magnitude of loss
  • Key output: risk score/rating and risk register update

Business Impact Analysis (BIA)

  • BIA: identifies critical business processes, their IT dependencies, and the impact of their disruption
  • BIA outputs: critical process list, RTO and RPO for each, Maximum Tolerable Downtime (MTD), impact ratings (financial, operational, reputational)
  • MTD: the absolute maximum time a business process can be unavailable before causing unacceptable damage
  • BIA informs: BCP/DRP priorities, IT resilience investments, risk treatment priorities
  • BIA must be performed before risk treatment planning — you cannot prioritize without knowing criticality

Risk Register

  • Risk register: the central repository for all identified risks; a living document
  • Standard fields: Risk ID, Risk Description, Risk Scenario, Risk Owner, Likelihood, Impact, Inherent Risk Score, Current Controls, Residual Risk Score, Risk Treatment, KRI, Due Date
  • Risk register feeds into the risk profile (executive view)
  • Maintained by the risk function, owned by risk owners
  • Must be reviewed regularly (at minimum annually; after major incidents or changes)

Risk Analysis Methodologies

  • Qualitative analysis: uses descriptive scales (High/Medium/Low; 1–5) for likelihood and impact; faster, subjective; most common in CRISC scenarios
  • Quantitative analysis: uses numerical values and formulas; objective but data-intensive
  • Semi-quantitative: combines descriptive ratings with numeric scores; hybrid approach
  • Risk heat map / risk matrix: plots likelihood vs impact; visual tool for prioritization
  • Exam tip: know ALE = ARO × SLE; know SLE = Asset Value × EF
TermFormula / DefinitionExample
EF (Exposure Factor)% of asset value lost per incidentFire destroys 40% of server → EF = 0.40
SLE (Single Loss Expectancy)Asset Value × EF$100K server × 0.40 = $40,000
ARO (Annual Rate of Occurrence)How often the event occurs per yearFire once every 10 years → ARO = 0.1
ALE (Annual Loss Expectancy)ARO × SLE0.1 × $40,000 = $4,000/year

5×5 Risk Heat Map — Likelihood vs Impact

L↑ / I→
1
2
3
4
5
5
5
10
15
20
25
4
4
8
12
16
20
3
3
6
9
12
15
2
2
4
6
8
10
1
1
2
3
4
5
Impact (1=Minimal → 5=Critical) | Score = Likelihood × Impact | Low 1–4 · Med 5–9 · High 10–16 · Critical 20–25

Inherent and Residual Risk

  • Inherent risk: the level of risk that exists WITHOUT any controls in place
  • Residual risk: the level of risk AFTER controls are applied
  • Target residual risk: the desired residual risk level (defined by risk appetite)
  • Control gap: when residual risk exceeds target residual risk — triggers additional treatment
  • Risk = Likelihood × Impact (foundational formula)
  • CRISC candidates must be able to calculate and interpret all three risk levels
Memory Techniques

Memory Hooks

Six conceptual anchors to lock in the most exam-tested ideas from Domain 2.

"Threat × Vulnerability = Risk (+ Impact)"

Risk doesn't exist without both a threat AND a vulnerability. A locked vault (no vulnerability) isn't a risk even if thieves exist. An unlocked door (vulnerability) with no thieves (no threat) isn't a risk either. Risk = Threat Agent + Vulnerability + Impact to a business objective.

"ALE = ARO × SLE = ARO × (Value × EF)"

The CRISC quantitative formula chain: SLE = Asset Value × Exposure Factor. ALE = Annual Rate of Occurrence × SLE. If a $100K server has a 40% EF from fire and fire occurs 0.1×/year: SLE=$40K, ALE=$4K/year. Work the chain from EF inward.

"Inherent → Controls → Residual → Target"

Start with inherent risk (no controls). Apply controls. Get residual risk. Compare to target residual risk (risk appetite). Gap = need more treatment. This flow is the heart of CRISC risk analysis and directly feeds Domain 3 risk response decisions.

"BIA before BCP/DRP always"

BIA identifies WHAT is critical and the RTO/RPO for each process. Without BIA, you don't know what to protect first. MTD = the absolute ceiling — if exceeded, the business faces unacceptable consequences. RTO must always be less than MTD.

"Risk Register = Source of Truth"

Every identified risk scenario lives in the risk register with its owner, likelihood, impact, inherent/residual scores, current controls, and treatment plan. It feeds the risk profile (executive view) and KRI monitoring. It must be kept current — reviewed at minimum annually.

"Qualitative = Fast, Quantitative = Precise"

Qualitative uses High/Medium/Low; quick and widely used. Quantitative uses ALE/SLE/ARO; precise but needs reliable data. CRISC favors qualitative in practice; quantitative for cost-benefit of controls. Semi-quantitative bridges both approaches.

10 Questions · Domain 2

Knowledge Check Quiz

One question at a time. Immediate feedback on each answer.

Question 1 of 10
1. What is the correct formula for Annual Loss Expectancy (ALE)?
2. The risk remaining AFTER controls are applied is known as:
3. A Business Impact Analysis (BIA) is PRIMARILY used to:
4. Which risk analysis approach uses Annual Rate of Occurrence and Single Loss Expectancy?
5. A risk scenario is BEST described as:
6. What does the Exposure Factor (EF) represent in quantitative risk analysis?
7. Which standard specifically provides guidance on information security risk management and is closely aligned with ISO/IEC 27001?
8. In a 5×5 risk matrix, a risk scored Likelihood=4, Impact=5 would be classified as:
9. Which of the following is NOT a component of a standard risk register entry?
10. The Maximum Tolerable Downtime (MTD) is BEST defined as:
8 Cards · Click to Flip

Flashcards

Click any card to reveal the answer. Click again to flip back.

Formula Chain
ALE / SLE / ARO / EF formulas
Click to reveal
EF (Exposure Factor) = % of asset value lost per incident.
SLE = Asset Value × EF.
ARO = how often per year.
ALE = ARO × SLE.

Example: $200K asset, 50% EF, 0.2 ARO → SLE=$100K, ALE=$20K/year.
Core Concept
Inherent vs Residual vs Target Risk
Click to reveal
Inherent risk: risk level WITH NO controls — the raw, baseline risk.
Residual risk: risk level AFTER controls are applied.
Target residual risk: the DESIRED level (aligns to risk appetite).
Gap between residual and target triggers additional treatment.
Scenario Building
Risk Scenario anatomy
Click to reveal
4 components: Threat Actor (who) + Threat Type (how) + Asset/Resource (what) + Business Impact (consequence).

Example: External hacker uses SQL injection on customer DB causing regulatory fines. Must tie to a business objective.
BIA
BIA key outputs
Click to reveal
1. Critical process inventory
2. IT dependencies per process
3. RTO — max time to restore
4. RPO — max data loss in time
5. MTD — absolute max downtime before unacceptable harm
6. Impact ratings (financial, operational, reputational)
Required BEFORE writing BCP or DRP.
Methodology
Qualitative vs Quantitative Risk Analysis
Click to reveal
Qualitative: H/M/L ratings or 1–5 scales; fast, subjective, widely used.
Quantitative: SLE/ALE/ARO formulas; precise, needs reliable data; used for control cost-benefit.
Semi-quantitative: hybrid — descriptive ratings mapped to numeric scores.
CRISC primarily tests qualitative scenarios.
Threat Modeling
STRIDE threat model
Click to reveal
S — Spoofing identity
T — Tampering with data
R — Repudiation (denying actions)
I — Information Disclosure
D — Denial of Service
E — Elevation of Privilege

Used to identify threats to a specific system; maps to security control categories.
Risk Register
Risk Register — key fields
Click to reveal
Risk ID | Description | Scenario | Risk Owner | Likelihood (1–5) | Impact (1–5) | Inherent Risk Score | Current Controls | Residual Risk Score | Target Risk Level | Treatment Option | KRI | Review Date. Living source of truth for all identified risks.
Standards
NIST SP 800-30 vs ISO/IEC 27005
Click to reveal
NIST SP 800-30: US government guide for conducting risk assessments — defines threat sources, events, vulnerabilities, likelihood, impact determination, risk determination.
ISO/IEC 27005: international standard for information security risk management; aligned with ISO 27001 ISMS. Both are scenario-based qualitative frameworks.
Exam Strategy

Study Advisor

Targeted guidance for Domain 2 exam performance.

🎯 Exam Strategy

Domain 2 is 22% of CRISC. Expect calculation questions — memorize ALE = ARO × SLE and SLE = Asset Value × EF. Scenario questions will ask you to identify inherent vs residual risk or choose the right analysis methodology. Know when to use qualitative vs quantitative, and always anchor your answer to business impact.

📚 Core Resources

  • ISACA CRISC Review Manual — Chapter on Risk Assessment
  • NIST SP 800-30 (free from NIST csrc.nist.gov)
  • ISO/IEC 27005 overview
  • FAIR model introduction (fairinstitute.org)
  • ISACA Risk IT Framework — Risk Evaluation component

💻 Hands-On Practice

  • Build a 5×5 risk matrix for 5 fictional IT risk scenarios
  • Calculate ALE for 3 different asset/threat scenarios using EF, SLE, ARO
  • Create a 5-row risk register with all required fields for a fictional organization
  • Write 3 risk scenarios using the 4-component structure (Actor + Type + Asset + Impact)

⚠️ Common Mistakes

  • Confusing inherent risk (no controls) with residual risk (after controls)
  • Confusing RTO (restore time) with RPO (data loss tolerance)
  • Using ALE without first computing SLE — always work the formula chain
  • Confusing MTD with RTO — MTD is the absolute maximum; RTO must be less than MTD
  • Treating risk assessment as a one-time project rather than an ongoing process

🔗 Related Exam Topics

Risk Assessment (Domain 2) feeds directly into Risk Response (Domain 3) — you cannot select a treatment option without knowing the risk score. The risk register built in Domain 2 is monitored via KRIs and reported via dashboards in Domain 3C. Risk appetite established in Domain 1 (IT Risk Governance) sets the target residual risk level used in Domain 2 analysis.

Official & Reference Sources

Resources

Authoritative links for CRISC Domain 2 study and exam registration.

🏛️

ISACA CRISC Certification

https://www.isaca.org/credentialing/crisc

Official CRISC certification page — exam registration, eligibility, fees, and credential maintenance.

📋

CRISC Exam Content Outline

https://www.isaca.org/credentialing/crisc/crisc-exam-content-outline

Official domain weighting and task statements — the authoritative guide to what the exam actually tests.

📄

NIST SP 800-30 (Free)

https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Guide for Conducting Risk Assessments — free US government standard, highly tested on CRISC.

🌐

ISO/IEC 27005 Overview

https://www.iso.org/standard/80585.html

International information security risk management standard; aligned with ISO 27001 ISMS.

📊

FAIR Institute

https://www.fairinstitute.org

Factor Analysis of Information Risk — quantitative risk model used for cost-benefit analysis of controls.

📘

ISACA Risk IT Framework

https://www.isaca.org/resources/isaca-journal/issues/2014/volume-5/risk-it-framework

ISACA's Risk IT Framework — Risk Evaluation component directly supports Domain 2 competencies.

FlashGenius

Accelerate Your CRISC Prep

Adaptive flashcards, practice exams, and progress tracking for all 4 CRISC domains.

Start Free Trial ISACA CRISC Page