You should only create a plan based on a recognized framework once you've done proper reconnaissance of your infrastructure. In most cases companies ignore this because they have a pretty good "idea" of what they have so they move to selecting a framework. But it is a critical FIRST step.
ChatGTP: C
When designing an internal security control assessment, the first step should be to align the assessment with a recognized framework (e.g., NIST 800-53, ISO/IEC 27001, COBIT). This ensures:
The assessment is structured and standardized.
Controls are comprehensive and traceable to known best practices.
The plan is scalable and comparable across assessments and organizations.
When designing an internal security control assessment, the first step is to establish a structured approach using a recognized framework of known controls (e.g., NIST Cybersecurity Framework, ISO 27001, CIS Controls). This ensures that the assessment is comprehensive, standardized, and aligned with industry best practices.
B is right : You choose a framework depending on what inventory you have. For example, if you have credit card transactions you are working with PCI so PCI Compliance framework is applicable. You don't decide a framework and then look at the components/inventory
Framework of best practices is best. It will also guide you in how and what to look for while assessing your orgs infrastructure. Also likely dealing with regulatory compliance so you would choose a framework based on how your business operates like PCI DSS or NIST and not based on the devices you have.
Frameworks are not exclusively used for external assessments; in fact, they are commonly used in both internal and external assessments. Many organizations use recognized security frameworks as a foundation for planning and performing internal assessments because these frameworks provide a standardized approach to identifying, implementing, and evaluating security controls. (aka. informal assessments)
If we use the steps in nist 800-37(RMF), it would be B. Categorize your information systems. This includes questions such as "what do we have?" How does this system fit into our organizations business processes, how sensitive is it?"
Once that is done then you move onto selecting security controls which might include selecting a recognized control framework such as 800-53
The VERY FIRST step would be to define a scope & objectives which is not listed. The 2nd step would be to pick a framework ANSWER C. Then the interviews/reconn, etc happens. The first few steps that apply here are: 1. Identify the scope and objectives of the assessment.
2. Select a recognized framework of known controls, such as NIST SP 800-53, ISO/IEC 27001, or CIS Controls.
3. Develop assessment procedures based on the chosen framework.
4. Determine the resources needed for the assessment, including personnel, tools, and documentation.
5. Schedule the assessment activities, including interviews, document reviews, and technical testing.
Answer C) Create a plan based on a recognized framework of known controls.
https://www.sharetru.com/blog/nist-security-controls-assessment-guide#:~:text=Developing%20a%20strategy%20for%20how%20to%20conduct%20your%20security%20control%20assessments%20makes%20it%20easier%20to%20ensure%20these%20assessments%20are%20uniform%2C%20cost%2Deffective%2C%20and%20comprehensive.
This section is not available anymore. Please use the main Exam Page.CISSP Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
WiDeBarulho
Highly Voted 2 years, 8 months agoCww1
Highly Voted 2 years, 9 months agojackdryan
2 years, 1 month agoKingsterKok
Most Recent 2 weeks, 2 days agoc6b1991
1 month, 1 week agoa_kto_to
1 month, 1 week agoa_kto_to
2 months ago3545cec
4 months, 3 weeks agoJayelv
6 months, 1 week agoTuhaar
6 months, 3 weeks agoJeffDidntKillHimself
7 months, 3 weeks agodeeden
10 months, 3 weeks agoJohnBentass
1 year agoklarak
1 year, 2 months agoeboehm
1 year, 2 months agoGuardianAngel
1 year, 4 months agoHongjun
1 year, 3 months agogjimenezf
1 year, 5 months agoYesPlease
1 year, 6 months ago