cism-d2-risk-management-risk-and-threat-landscape

Risk and Threat Landscape

isaca-cism · framework · Gold standard

Drawn fromCISM Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Risk and Threat Landscape

The Risk and Threat Landscape is a structured, evidence-based inventory of all plausible adversarial actors — their capabilities, motivations, and attack methods — together with the emerging technological and geopolitical forces that shape the probability and impact of harm to an organization's information assets. It is NOT a list of known vulnerabilities (that is vulnerability management), NOT a point-in-time snapshot (it continuously evolves), and NOT synonymous with a risk register (the threat landscape is an INPUT that feeds risk registers, not the output itself). A well-formed threat landscape assessment answers three questions: Who wants to harm us and why? How would they do it? What external forces are changing those answers?

Where it stops · what it isn't

—IS: A forward-looking, intelligence-driven characterization of adversarial intent, capability, and opportunity scoped to a specific organization and its sector
—IS NOT: A vulnerability scan or penetration test output — those assess exploitability, not attacker motivation or strategic intent
—IS NOT: A completed risk assessment — threat landscape assessment is a prerequisite input to risk assessment, not the assessment itself
—IS: Inclusive of both external threats (nation-states, organized crime, hacktivists, opportunistic attackers) and internal threats (negligent insiders, malicious employees, compromised accounts)
—IS NOT: Generic or sector-agnostic — a valid threat landscape is always scoped to an organization's industry, geography, size, and data profile
—IS: Continuously updated as the environment changes — a threat landscape brief older than 12 months without interim updates is operationally stale
—IS NOT: Equivalent to threat intelligence — threat intelligence is raw data; the threat landscape is the synthesized, contextualized picture derived from that data

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

ENABLES

Risk Assessment Evaluation and AnalysisVulnerability and Control Deficiency AnalysisInformation Risk ResponseRisk Monitoring Reporting and Communication

REQUIRES

Threat Intelligence Sources and FeedsAsset Inventory and Classification

PART OF

Information Security Risk Management (CISM Domain 2)

RELATED TO

Risk Assessment Evaluation and Analysis

CONSTRAINS

Security Control Selection and Prioritization

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.