Understanding Concepts

Question 1

Risk frameworks

Answer 1

Address the “why” they guide strategic decision making about risk

Question 2

Security control frameworks

Answer 2

Address the how providing specific controls to mitigate cybersecurity risk

Question 3

NIST Risk Management Framework also known as RMF

Answer 3

Audience is federal government agencies. The RMF is mandatory for those to which it applies.

Question 4

NIST Cybersecurity Framework also known as CSF

Answer 4

Is aimed at private(commercial) business. The CSF is purely Optional guidance from NIST

Question 5

ISO/IEC 27001:2022

Answer 5

Outlines a framework for implementing maintaining and continually improving an Information Security Management System(ISMS)

Question 6

Information Security Management System(ISMS)

Answer 6

Is a set of policies, processes, and controls that helps organizations protect their information assets.

Question 7

ISO/IEC 27001:2022 guides organizations in

Answer 7

Identifying information assets and assessing their value and information security risks AND
Implementing mitigating security controls(based on ISO 27002)
Regularly monitoring and measuring effectiveness of and continuously improving ISMS
basically focuses more on the What and Why

Question 8

ISO/IEC 27002:2022

Answer 8

Offers best practices and control objectives related to key aspects of cybersecurity in support of ISO/IEC 27001.

Question 9

ISO/IEC 27002:2002 focus areas

Answer 9

Includes access control, cryptography, human resource security, operational security, and incident response
Serves as a practical blueprint for organizational aiming to effectively safeguard their information assets against cyber threats
basically brings practical guidance on how

Question 10

Privacy vs Confidentiality

Answer 10

Privacy focus on the right of the individual person/customer
Confidentiality focuses on data