← Concepts
Security Program Management and OversightSY0-701 · Task 5.2

Risk assessment — SY0-701

Master the Risk Assessment concept for CompTIA Security+ SY0-701 — what it is, how it fits risk management, and the exam traps candidates fall into.

WHAT IT IS

Risk assessment is "the process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system." (NIST SP 800-30 Rev. 1, via NIST CSRC Glossary)

It incorporates threat and vulnerability analyses and considers the mitigations provided by planned or existing security controls.

Mental model

Think of risk assessment as a structured answer to three questions asked in sequence:

  1. Identify — What threats exist, and what vulnerabilities could they exploit?
  2. Estimate — How likely is exploitation, and how severe would the impact be?
  3. Prioritize — Given limited resources, which risks deserve the most attention first?

Each step builds on the one before. You cannot meaningfully prioritize what you have not yet estimated, and you cannot estimate what you have not yet identified.

All node labels are grounded in the NIST CSRC Glossary entries for threat, vulnerability, likelihood of occurrence, impact, and risk assessment.

When to use it

Risk assessment is one step within the broader risk management program. Candidates often conflate the assessment itself with the full management lifecycle.

ConceptScopeKey question answered
Risk assessmentDiscrete analytical activity — identify, estimate, prioritize"What are our risks and how significant are they?"
Risk managementOngoing program encompassing risk assessment, risk response, and continuous monitoring"How do we govern risk across the organization over time?"

Risk assessment feeds into risk management; it does not replace it. Choosing a risk response (accept, avoid, transfer, mitigate) is a risk management decision, not part of the assessment itself.

COMMON MISCONCEPTION

A common misconception is that risk assessment produces the security controls or risk responses. It does not. According to NIST, risk assessment identifies and prioritizes risks; the organization's risk response processes determine what to do about them. Candidates who conflate "assessing risk" with "managing risk" may incorrectly answer questions about who owns a risk decision or when an assessment is complete.

A second trap: confusing threat with vulnerability. NIST defines a threat as any circumstance or event with potential to adversely impact organizational operations, while a vulnerability is a weakness that could be exploited by a threat source. A threat without a matching vulnerability does not constitute risk in the same way — both inputs are needed for risk to materialize.

How it shows up on the exam

Risk assessment questions typically target the analysis cognitive level — candidates are asked to apply the concept to a scenario rather than recall a definition. Watch for:

  • Scenarios that describe an organization discovering weaknesses in systems and ask what the next step should be — the answer often involves estimating and prioritizing rather than immediately implementing controls.
  • Questions that mix assessment vocabulary (likelihood, impact, threat, vulnerability) and ask which factor is being described — grounding the NIST definitions for each term helps distinguish them.
  • Scenarios where a risk has been assessed but no response has been chosen yet — candidates who assume assessment includes the response decision may select the wrong answer.

The concept is also linked to the distinction between qualitative and quantitative approaches — both are methods for performing the estimation step of a risk assessment.

Related concepts

  • Quantitative risk analysis — uses numerical values to estimate likelihood and impact during the estimation step
  • Qualitative risk analysis — uses descriptive scales (high/medium/low) to estimate and prioritize risks
  • Risk register — the artifact that records identified, estimated, and prioritized risks produced by or maintained through ongoing assessments

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.