Which elements are central to Domain 2 Risk Management?

At the heart of risk management is building a program that identifies what needs protection, understands the threats to those assets, and sets the boundaries for acceptable risk. Asset identification anchors everything by revealing where critical information and systems reside so you know what to protect. Threat assessment then weighs the likelihood and potential impact of those threats, helping you prioritize where to focus controls and resources. Risk appetite defines the level of risk the organization is willing to accept, guiding decisions about risk responses and controls. Third-party risk extends that view to external relationships, ensuring external dependencies don’t undermine your risk posture. Ongoing monitoring keeps the risk picture current, signaling when controls need adjustment as the environment changes. While governance elements like board oversight and policies and assurance activities like independent assessments are important to the overall security program, they support the risk management process rather than define its core. Breach response relates to reacting to incidents, which is a separate operational area from the ongoing risk management activities described here.