Answer is D
"To assess risk, you need to think about threats and vulnerabilities. Start by making a list of any potential threats to your organization’s assets, then score these threats based on their likelihood and impact. From there, think about what vulnerabilities exist within your organization, categorize and rank them based on potential impact. These vulnerabilities can consist of people (employees, clients, third parties), processes or lack thereof, and technologies in place. "
https://www.barradvisory.com/roadmap-to-implementing-a-successful-information-security-program/
Performing risk assessment covers answer C, for example, if you need to be PCI DSS compliant, you first assess the risk in your environment and compare it with what the standard says, your ISA can help you do that before the external assessor (QSA) comes in and assesses your controls (again the PCI DSS standard) to see your gaps.
While all the options have merit, the most critical factor is ensuring that security controls are risk-based and tailored to the organization's specific needs.
This question is about developing information security controls, and the focus is on what’s most important — which means we’re looking for the most foundational and risk-based approach.
âś… "Exercise due diligence with regard to all risk management information to tailor appropriate controls"
means:
You use risk-based thinking
You evaluate the organization’s specific threats, vulnerabilities, and requirements
You customize controls accordingly, rather than blindly applying standards
This aligns with both:
CISSP best practices
NIST, ISO, and risk-based frameworks like ISO 27005, NIST SP 800-30
Not C. Review all local and international standards and choose the most stringent based on location. Might lead to unnecessary complexity or cost without addressing specific organizational needs.
Not D. Perform a risk assessment and choose a standard that addresses existing gaps. Valuable, but it emphasizes choosing a standard, not tailoring individual controls based on due diligence and comprehensive risk understanding.
B is more detail and specific, although D can be good , standard is not everything when developing controls. some standard are non prescriptive, some need to be tailored as no standard fits all.
B. Exercise due diligence with regard to all risk management information to tailor appropriate controls.
When developing information security controls, due diligence ensures that the chosen controls are appropriate and effective based on the specific risks and needs of the organization. By considering all risk management information—such as the organization's risk profile, potential threats, vulnerabilities, and the impact of a security breach—security controls can be tailored to address the unique risks the organization faces. This approach helps ensure that the controls are both effective and proportionate to the risks.
The answer is obviously D, risk assessment, gap analysis ( Full, partial and non-compliance with ISO Controls) the implementation of Security controls in compliance with ISO 27001
B. Exercise due diligence with regard to all risk management information to tailor appropriate controls.
This approach ensures that the security controls are specifically tailored to the unique risks and needs of the organization. By exercising due diligence, you can identify and assess the specific threats and vulnerabilities that the organization faces, and implement controls that are most effective in mitigating those risks. This method aligns with best practices in risk management and ensures that resources are allocated efficiently to address the most critical security concerns.
B:
Always need to do your "Due Diligence, and Due Care." While a stringent policy and rules need to be in place, you need to remember, when implementing said controls, they need to be within reach in order to make it an effective control. Due diligence should cover the expectation of cover the local and international standards. It "SHOULD" be implied that it is being looked into, or has been looked into.
D. You need to know what you are doing before you can implement A. Due dilligence means nothing if you picked the wrong thing and don't know what you are doing it for. C is partly covered by D and you may not even want the "most stringent" depending on your organisation. Think like a manager!
The most important option to follow when developing information security controls for an organization is D. Perform a risk assessment and choose a standard that addresses existing gaps. This ensures that security controls are specifically tailored to the organization's needs and vulnerabilities, providing more effective protection against identified threats.
This section is not available anymore. Please use the main Exam Page.CISSP Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
JAckThePip
Highly Voted 2Â years, 6Â months agojackdryan
2Â years agoLoveguitar
Highly Voted 2Â years, 7Â months agofuzzyguzzy
Most Recent 2Â weeks, 5Â days agoAjitZavade
3Â weeks, 1Â day agoRedMartian
3Â weeks, 2Â days agodra3m
1Â month agoFouad777
4Â months, 1Â week agosomsom
6Â months, 1Â week agocelomomo
6Â months, 3Â weeks agoadc9365
8Â months agoJohnBentass
10Â months, 2Â weeks ago1ee7bdb
1Â year agoHardrvkllr
1Â year agoAshStevens
1Â year agohomeysl
1Â year, 1Â month agoVaneck
1Â year, 1Â month agooksey
1Â year, 8Â months ago