Identifying risk is only half the job in information security.
What truly matters—and what CISSP tests heavily—is what you do after a risk is identified.
Many CISSP candidates understand threats and vulnerabilities, but lose marks when asked to choose the right risk treatment option. This blog breaks down the four CISSP risk treatment options in simple, business-focused terms, exactly the way CISSP expects you to think.
Why Risk Treatment Matters in CISSP
CISSP is not about eliminating all risks. That is unrealistic and impossible.
Instead, CISSP evaluates whether you can:
- Make informed business decisions
- Balance security with cost and operations
- Choose an appropriate response based on risk appetite and impact
In the exam, selecting the wrong treatment option—even after correctly identifying risk—can cost easy marks.
A Simple Business Analogy: Opening a Shop
Imagine you are planning to open a shop.
There are obvious risks:
- Theft
- Fire
- Flood
- Power failure
You cannot eliminate all of these risks. What you can do is decide how to deal with each one.
That decision-making process is exactly what CISSP means by risk treatment.
Risk Avoidance: Don’t Do It at All
Risk avoidance means eliminating the activity that creates the risk.
You are not fixing the risk—you are removing the cause.
Example
If a location has extremely high crime rates, you may decide not to open the shop there at all.
In Security Terms
- Choosing not to deploy a high-risk system
- Disabling an unnecessary exposed service
- Avoiding processing sensitive data in an insecure environment
CISSP Mindset
Risk avoidance is chosen when the risk is unacceptable and no reasonable control can reduce it.
Avoidance is powerful, but it is not always practical.
Risk Mitigation: Reduce the Risk
Risk mitigation means reducing risk to an acceptable level.
This is the most common risk treatment option in CISSP questions.
Example
You open the shop, but you:
- Install CCTV
- Add locks and alarms
- Hire security staff
The risk still exists, but it is reduced.
In Security Terms
- Patching vulnerabilities
- Implementing access controls
- Monitoring and logging
CISSP Mindset
Mitigation reduces likelihood or impact, not total risk.
Risk Transfer: Shift the Impact
Risk transfer means shifting the financial or operational impact to another party.
Important clarification:
- Risk is not eliminated
- Accountability often remains with the organisation
Example
- Purchasing insurance
- Outsourcing certain services
In Security Terms
- Cyber insurance
- Cloud services or MSSPs
- Contracts and SLAs
CISSP Mindset
You can transfer impact, but you cannot fully transfer responsibility.
This distinction is frequently tested in CISSP.
Risk Acceptance: Live with the Risk
Risk acceptance means acknowledging the risk and taking no immediate action.
This does not mean ignoring the risk.
Example
If the cost of controls is higher than the potential loss, accepting the risk may be reasonable.
In Security Terms
- Low-impact risks
- Legacy systems nearing end-of-life
- Budget or operational constraints
CISSP Mindset
Risk acceptance must be informed, documented, and approved by management.
Accidental risk acceptance is never correct in CISSP.
How CISSP Expects You to Choose
CISSP questions rarely ask:
“What are the four risk treatment options?”
Instead, they ask:
- What is the best response?
- What should management do first?
- Which option aligns with business objectives?
Quick Exam Guide
- Unacceptable risk → Avoid
- Reduce risk → Mitigate
- Financial exposure → Transfer
- Low impact → Accept
One-Line Takeaway
CISSP is not about removing all risk.
It’s about choosing the right way to live with risk.
🎧 Listen to the Podcast
This blog is part of the CISSP Blog & Podcast Series on PK’s Chronicles.
If you prefer audio learning, you can listen to the companion podcast episode where this concept is explained in a 10-minute, concept-first format, using simple business analogies.
Listen on Spotify: Search for “PK’s Chronicles ”
Each episode focuses on how CISSP wants you to think, not on memorisation or shortcuts.
