Domain 6: Legal, Risk & Compliance Module 67 of 70

Module 67: Enterprise Risk Management in the Cloud

CCSP Domain 6 — Legal, Risk & Compliance Section B 6 min read
The CCSP exam tests enterprise risk management in the cloud as a shared problem. You cannot transfer risk accountability to a cloud provider any more than you can transfer it to any other vendor. The exam expects you to think about cloud risk as part of enterprise risk, not as a separate category.

ERM and Cloud Computing

Enterprise Risk Management encompasses all risks an organization faces — strategic, operational, financial, compliance, and technology risks. Cloud computing does not create a separate risk category; it modifies existing risk categories. The CCSP exam tests whether you integrate cloud risks into the enterprise risk framework rather than managing them in isolation.

Cloud Risk Assessment

The exam tests a structured approach to cloud risk assessment:

Asset Identification

Before assessing risk, identify what assets are in the cloud: data classifications, applications, infrastructure components, and their business criticality. The exam tests whether you maintain a comprehensive cloud asset inventory as the foundation for risk assessment.

Threat Identification

Cloud-specific threats include: data breaches, account compromise, insecure APIs, system vulnerabilities, malicious insiders (both customer and provider side), abuse of cloud resources, and denial of service. The exam expects you to identify threats specific to the cloud service model being used.

Vulnerability Assessment

Cloud vulnerabilities include: misconfigured access controls, unpatched guest OS (IaaS), inadequate encryption, lack of monitoring, and weak authentication. The exam tests whether you assess vulnerabilities within your responsibility boundary and whether you verify provider vulnerabilities through audit reports.

Impact Analysis

The exam expects risk impact to be expressed in business terms, not technical terms. A data breach is not "loss of 10,000 records" — it is "regulatory fines, reputational damage, and customer loss estimated at $X." Business impact drives risk prioritization.

Exam trap: When a question asks how to prioritize cloud risks, the answer is based on business impact, not technical severity. A high-severity technical vulnerability in a system with no sensitive data may be lower priority than a medium-severity vulnerability in a system processing regulated data.

Shared Responsibility and Risk Ownership

The shared responsibility model is also a shared risk model. The exam tests whether you understand:

  • Customer-owned risks: Data classification, access management, application security, compliance with regulations.
  • Provider-owned risks: Physical security, hypervisor security, infrastructure availability.
  • Shared risks: Patch management (depends on service model), encryption (implementation vs. key management), network security (depends on what layer).

The critical exam principle: while operational risk may be shared, accountability for data protection remains with the data owner (the customer).

Risk Registers and Cloud

The exam tests whether cloud risks appear in the enterprise risk register alongside other business risks. Cloud risks should not be tracked in a separate shadow register maintained by the IT team — they must be visible to enterprise risk management.

Quantitative vs. Qualitative Risk Assessment

  • Quantitative: Assigns monetary values to risk. Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO). The exam tests this formula and its application to cloud scenarios.
  • Qualitative: Uses scales (high/medium/low) to rate likelihood and impact. More commonly used when precise monetary values are unavailable. The exam tests whether you can use risk matrices to prioritize cloud risks.

Cloud Risk Scenarios

The exam may present scenarios like: evaluating the risk of vendor lock-in, assessing the impact of a CSP outage on business operations, or analyzing the risk of regulatory non-compliance due to data location. For each, the exam tests whether you follow a structured assessment process and express results in business terms.

AI and Emerging Technology Risks

The updated CCSP outline includes AI-related risks. Cloud-based AI services introduce risks around data exposure during model training, bias in AI outputs affecting business decisions, and lack of transparency in AI processing. The exam expects you to include these emerging risks in cloud risk assessments.

Common Exam Traps

  • Cloud risk as separate from enterprise risk: Cloud risks must be integrated into the enterprise risk framework.
  • Technical impact only: Risk impact must be expressed in business terms for executive decision-making.
  • Transferring accountability: Moving to the cloud transfers operational responsibility for some controls but never transfers accountability for data.
  • Risk assessment as one-time activity: Cloud risk assessment must be ongoing because the environment changes continuously.

Key Takeaways for the Exam

Cloud risks belong in the enterprise risk register. Risk assessment follows asset identification, threat identification, vulnerability assessment, and business impact analysis. The shared responsibility model creates a shared risk model. Accountability for data stays with the customer. Risk impact is expressed in business terms. Both quantitative and qualitative methods have roles. AI and emerging technologies introduce new risk categories. Risk assessment is continuous, not one-time.

Next Module Module 68: Risk Treatment and Frameworks