Risk Management

Question 1

What is the purpose of the document?

Answer 1

To provide an overview of risk management standards, methodologies, and tools, and to support EU institutions in addressing gaps in risk management.

Question 2

Which EU institution facilitates the establishment of risk management standards?

Answer 2

ENISA (European Union Agency for Cybersecurity).

Question 3

What is the NIS Directive?

Answer 3

The Network and Information Security Directive (Directive 2016/1148) that sets legal obligations for ICT security in the EU.

Question 4

How does the Cybersecurity Act define ENISA’s role?

Answer 4

ENISA shall facilitate the establishment and take-up of European and international standards for risk management and ICT security.

Question 5

Which sectors are considered critical under the NIS Directive?

Answer 5

Energy, Transport, Banking, Financial market infrastructures, Health, Drinking water supply, and Digital Infrastructure.

Question 6

What is risk according to ISO 31000:2018?

Answer 6

The effect of uncertainty on objectives.

Question 7

What is risk management?

Answer 7

Coordinated activities to direct and control an organization with regard to risk (ISO 31000:2018).

Question 8

What are the key steps in the risk management process?

Answer 8

Risk identification, risk analysis, risk evaluation, risk treatment, risk monitoring, and risk communication.

Question 9

What is risk treatment?

Answer 9

The process of modifying risk, including avoiding, reducing, sharing, or accepting it.

Question 10

Which regulation focuses on cybersecurity certification?

Answer 10

The Cybersecurity Act (Regulation (EU) 2019/881).

Question 11

What is ISO/IEC 27005?

Answer 11

A standard providing guidelines for information security risk management.

Question 12

Which ISO standard provides general guidelines for risk management?

Answer 12

ISO 31000:2018.

Question 13

What is the role of risk management in cybersecurity?

Answer 13

To protect valuable assets, evaluate security threats, prevent fraud, and ensure business continuity.

Question 14

What are the risk treatment options according to ISO 31000?

Answer 14

Avoiding, taking/increasing, mitigating, sharing, or retaining the risk.

Question 15

What is NIST 800-30?

Answer 15

A risk management guide developed by NIST for assessing and mitigating risks in IT systems.

Question 16

What does the GDPR regulate?

Answer 16

It governs data protection and privacy for individuals in the EU (Regulation (EU) 2016/679).

Question 17

What is the purpose of risk assessment?

Answer 17

To identify and evaluate risks and prioritize them for treatment.

Question 18

What is the difference between risk assessment and risk treatment?

Answer 18

Risk assessment identifies and evaluates risks, while risk treatment focuses on reducing or mitigating them.

Question 19

What are the components of risk analysis?

Answer 19

Threat identification, likelihood estimation, and impact assessment.

Question 20

What does the OCTAVE methodology focus on?

Answer 20

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a self-directed risk evaluation method.

Question 21

What is CRAMM?

Answer 21

A methodology for evaluating security risks by analyzing corporate environments.

Question 22

What does the MEHARI method focus on?

Answer 22

A qualitative risk management approach developed by CLUSIF in France.

Question 23

What is the primary purpose of the Cybersecurity Act?

Answer 23

To establish cybersecurity certification frameworks and risk management standards in the EU.

Question 23

What is IT-Grundschutz?

Answer 23

A risk assessment framework developed by the German BSI for IT security management.

Question 24

What is a standard?

Answer 24

A document providing rules or guidelines on the design, use, or performance of technologies, processes, or systems.

Question 25

What is a methodology?

Answer 25

A structured approach or set of principles for performing a particular activity, such as risk management.

Question 26

What is ISO/IEC 18045?

Answer 26

A companion standard to ISO/IEC 15408, providing evaluation methodologies for IT security.

Question 27

What is an example of a risk assessment tool?

Answer 27

FAIR (Factor Analysis of Information Risk) provides quantitative risk assessment.

Question 28

Which standard is commonly used for cybersecurity risk management in healthcare?

Answer 28

EN ISO 14971 (risk management for medical devices).

Question 29

What is the role of ENISA in risk management?

Answer 29

To facilitate cooperation between stakeholders and support the adoption of EU risk management standards.

Question 30

What does ISO/IEC 27001 focus on?

Answer 30

Information Security Management Systems (ISMS) requirements.

Question 31

What does ISO/IEC 27002 provide?

Answer 31

Guidelines and best practices for information security management.

Question 32

What is a risk owner?

Answer 32

A person or entity responsible for managing and mitigating a specific risk.

Question 33

Which framework is used for vulnerability assessment?

Answer 33

Common Vulnerabilities and Exposures (CVE) system.

Question 34

What is the Security Content Automation Protocol (SCAP)?

Answer 34

A synthesis of security standards used for automated vulnerability management and compliance assessment.

Question 35

What does the BowTie methodology focus on?

Answer 35

A qualitative risk analysis method used to visualize risk scenarios and mitigation strategies.

Question 36

What is the Digital Services Act (DSA)?

Answer 36

A proposed EU regulation for a single market for digital services, including cybersecurity measures.

Question 37

What is CLUSIF?

Answer 37

CLUSIF (Club de la Sécurité de l'Information Français) is a French non-profit organization dedicated to information security and risk management. It develops methodologies like MEHARI, promotes cybersecurity awareness, and facilitates collaboration between cybersecurity professionals, businesses, and government agencies.

Question 38

What is the role of the European Standardisation Organisations (ESOs)?

Answer 38

ESOs (CEN, CENELEC, and ETSI) develop European standards (ENs) that apply across EU countries, supporting cybersecurity and risk management.

Question 39

What is a European Standard (EN)?

Answer 39

A document ratified by one of the three ESOs that must be implemented as a national standard in EU member states.

Question 40

What is the purpose of ISO/IEC 15408 (Common Criteria)?

Answer 40

It provides a framework for evaluating ICT product security through security functional and assurance requirements.

Question 41

What is ENISA’s role in European cybersecurity?

Answer 41

ENISA supports EU cybersecurity policies, promotes risk management standards, and enhances cybersecurity resilience across member states.

Question 42

What is the CSA (Cybersecurity Act) regulation?

Answer 42

The Cybersecurity Act (Regulation (EU) 2019/881) establishes EU-wide cybersecurity certification frameworks and strengthens ENISA’s role.

Question 43

What is risk acceptance?

Answer 43

The decision to retain a risk after assessing its impact and likelihood, acknowledging that the risk remains.

Question 44

What is ISO/IEC 27001 designed for?

Answer 44

It defines requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

Question 45

What is EBIOS Risk Manager?

Answer 45

A risk assessment methodology developed in France, compliant with ISO 31000 and ISO/IEC 27005, designed to analyze and mitigate cybersecurity risks.

Question 45

What is the role of ISO/IEC 27005?

Answer 45

It provides guidelines for information security risk management, supporting the implementation of ISO/IEC 27001.

Question 46

What is the MEHARI methodology?

Answer 46

A risk assessment and management method developed by CLUSIF that helps organizations evaluate security threats and define protection measures.

Question 47

What is the difference between ISO 31000 and ISO/IEC 27005?

Answer 47

ISO 31000 provides general risk management principles, while ISO/IEC 27005 focuses on information security risk management.

Question 47

What is the IT-Grundschutz approach?

Answer 47

A cybersecurity framework developed by Germany’s BSI that provides structured risk management and protection guidelines for IT systems.

Question 48

What is the purpose of NIST SP 800-39?

Answer 48

It provides a framework for managing information security risks at organizational, mission, and business levels.

Question 49

What is the role of ISO/IEC 18045?

Answer 49

It provides methodologies for IT security evaluation, complementing the Common Criteria (ISO/IEC 15408).

Question 50

What is the difference between qualitative and quantitative risk assessment?

Answer 50

Qualitative risk assessment uses descriptive scales (e.g., low, medium, high), while quantitative risk assessment assigns numerical values to risk impact and probability.

Question 50

What does the Baldrige Cybersecurity Excellence Builder (BCEB) do?

Answer 50

It is a self-assessment tool that helps organizations evaluate and improve their cybersecurity risk management.

Question 51

What is the Common Vulnerability Scoring System (CVSS)?

Answer 51

A framework for rating and communicating the severity of software vulnerabilities.

Question 52

What is the MITRE CVE system?

Answer 52

A global system that identifies and catalogs publicly known cybersecurity vulnerabilities.

Question 53

What is a vulnerability database?

Answer 53

A database that collects, categorizes, and provides information on known cybersecurity vulnerabilities (e.g., MITRE CVE, NVD).

Question 54

What is the role of Security Content Automation Protocol (SCAP)?

Answer 54

SCAP provides automated security vulnerability management and compliance assessment.

Question 55

What is the OWASP Threat Modeling Tool?

Answer 55

A tool that helps organizations identify, assess, and mitigate security threats in software and systems.

Question 56

What is the Digital Services Act (DSA)?

Answer 56

A proposed EU regulation aiming to establish a single market for digital services with cybersecurity and risk management requirements.

Question 57

What is the purpose of a Risk Treatment Plan?

Answer 57

A structured action plan to mitigate, transfer, accept, or avoid identified risks.

Question 58

What is the difference between a Risk Register and a Risk Treatment Plan?

Answer 58

A Risk Register is a record of identified risks, while a Risk Treatment Plan describes actions to manage or mitigate those risks.

Question 59

What is the BowTie Risk Analysis method?

Answer 59

A qualitative risk analysis method that visually represents risk scenarios, identifying preventive and reactive measures.

Question 60

What is the role of Artificial Intelligence in risk management?

Answer 60

AI can automate risk detection, analyze patterns, and predict cybersecurity threats.

Question 61

What is the main goal of the Cyber Risk Temperature Tool?

Answer 61

It helps SMEs assess cybersecurity risks by identifying vulnerabilities and recommending security measures.

Question 62

What is the purpose of the ePrivacy Regulation?

Answer 62

It aims to strengthen online privacy by regulating electronic communications and protecting personal data.

Question 63

What is a supply chain attack?

Answer 63

A cyberattack targeting vendors or third-party providers to compromise the security of a final product or service.

Question 64

What is the MITIGATE framework?

Answer 64

A cybersecurity framework for supply chain risk assessment, integrating threat intelligence and ISO standards.

Question 65

What is the purpose of the RESISTO project?

Answer 65

It provides cyber-physical risk management solutions for critical communication infrastructures.

Question 66

What does the FINSEC project focus on?

Answer 66

It provides a cybersecurity toolbox for risk assessment and anomaly detection in the financial sector

Question 67

What is the role of risk management in cybersecurity certification?

Answer 67

It ensures that ICT products, services, and processes meet security requirements before deployment.