What is a qualitative risk analysis?

A couple of years ago you started your company which has now grown from 1 to 20 employees. Your company’s information is worth more and more and gone are the days when you could keep control yourself. You are aware that you have to take measures, but what should they be? You hire a consultant who advises you to start with a qualitative risk analysis.

What is a qualitative risk analysis?
A . This analysis follows a precise statistical probability calculation in order to calculate exact loss caused by damage.
B . This analysis is based on scenarios and situations and produces a subjective view of the possible threats.

Answer: B

Explanation:

A qualitative risk analysis is an analysis that is based on scenarios and situations and produces a subjective view of the possible threats. A qualitative risk analysis does not use precise statistical probability calculations or exact loss estimates, but rather relies on the experience, intuition and judgement of the risk analysts and stakeholders. A qualitative risk analysis can use descriptive scales, such as high, medium or low, to rank the likelihood and impact of risks. A qualitative risk analysis can be useful for identifying and prioritizing risks, especially when there is limited data or time available. ISO/IEC 27001:2022 defines qualitative risk analysis as “risk analysis that uses scenarios based on events and situations” (see clause 3.35).

Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, What is Qualitative Risk Analysis?