Exam CISSP topic 1 question 344 discussion

You should only create a plan based on a recognized framework once you've done proper reconnaissance of your infrastructure. In most cases companies ignore this because they have a pretty good "idea" of what they have so they move to selecting a framework. But it is a critical FIRST step.

Do you not need a framework to assess against?

You should know the framework before you can develop a plan...so if the community is split B 45% to C 45% what is the correct answer?

B is first step, C is the later step

You must First align the design to a framework...so the answer is "C"

C. Create a plan based on a recognized framework of known controls.

ChatGTP: C When designing an internal security control assessment, the first step should be to align the assessment with a recognized framework (e.g., NIST 800-53, ISO/IEC 27001, COBIT). This ensures: The assessment is structured and standardized. Controls are comprehensive and traceable to known best practices. The plan is scalable and comparable across assessments and organizations.

When designing an internal security control assessment, the first step is to establish a structured approach using a recognized framework of known controls (e.g., NIST Cybersecurity Framework, ISO 27001, CIS Controls). This ensures that the assessment is comprehensive, standardized, and aligned with industry best practices.

C is correct. that is why we have controls frameworks

B is right : You choose a framework depending on what inventory you have. For example, if you have credit card transactions you are working with PCI so PCI Compliance framework is applicable. You don't decide a framework and then look at the components/inventory

Framework of best practices is best. It will also guide you in how and what to look for while assessing your orgs infrastructure. Also likely dealing with regulatory compliance so you would choose a framework based on how your business operates like PCI DSS or NIST and not based on the devices you have.

Frameworks are not exclusively used for external assessments; in fact, they are commonly used in both internal and external assessments. Many organizations use recognized security frameworks as a foundation for planning and performing internal assessments because these frameworks provide a standardized approach to identifying, implementing, and evaluating security controls. (aka. informal assessments)

Answer is C

It's probably B. You have to know the system before you know what framework to use...

If we use the steps in nist 800-37(RMF), it would be B. Categorize your information systems. This includes questions such as "what do we have?" How does this system fit into our organizations business processes, how sensitive is it?" Once that is done then you move onto selecting security controls which might include selecting a recognized control framework such as 800-53

The VERY FIRST step would be to define a scope & objectives which is not listed. The 2nd step would be to pick a framework ANSWER C. Then the interviews/reconn, etc happens. The first few steps that apply here are: 1. Identify the scope and objectives of the assessment. 2. Select a recognized framework of known controls, such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls. 3. Develop assessment procedures based on the chosen framework. 4. Determine the resources needed for the assessment, including personnel, tools, and documentation. 5. Schedule the assessment activities, including interviews, document reviews, and technical testing.

First C choose a framework, then B, SOA to determine which controls apply to your current Infrastructure