Certified Chief Information Security Officer (CCISO) — Question 4

What is the SECOND step to creating a risk management methodology according to the National Institute of Standards and Technology (NIST) SP 800-30 standard?

Answer options

• A. Mitigate risk
• B. Perform a risk assessment
• C. Determine appetite
• D. Evaluate risk avoidance criteria

Correct answer: B

Explanation

The correct answer is B, as performing a risk assessment is the second step in the risk management process outlined by NIST SP 800-30. Options A, C, and D represent different phases or actions that occur at other points in the risk management methodology, not the second step.