ISC2 Certified Cloud Security Professional (CCSP) Practice Question

Your multinational company is preparing a business-case for migrating critical finance applications to a SaaS provider. Senior leadership has asked the risk team to deliver an assessment that expresses cloud-related threats and loss events in monetary terms so that cost-benefit trade-offs can be clearly understood. Which of the following risk management frameworks best satisfies this requirement?

Factor Analysis of Information Risk (FAIR)
COSO Internal Control - Integrated Framework
ISO/IEC 31000 Enterprise Risk Management Guidelines
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Report Issue

Answer Description

Factor Analysis of Information Risk (FAIR) was created specifically to quantify information and technology risk in financial terms, providing estimates of probable loss magnitude and frequency. This aligns exactly with management's request for a money-based view of cloud threats.

OCTAVE offers a structured, primarily qualitative approach that focuses on organizational self-assessment rather than detailed financial modeling. ISO/IEC 31000 provides broad principles and a high-level process for risk management but leaves quantification methods to practitioners. The COSO Internal Control - Integrated Framework concentrates on internal control effectiveness and financial reporting assurance, not on calculating expected loss from specific IT threats. Therefore, FAIR is the only framework designed to translate information-risk scenarios into monetary values, making it the most suitable choice.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.