Exam CISSP topic 1 question 119 discussion

page 23 of https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

Logically, the next step after the development of the Information Security Continuous Monitoring (ISCM) program is Implement an ISCM program which consists of collecting the security-related information required for metrics, assessments, and reporting. Automate collection, analysis, and reporting of data wherever possible. So the answer must be:A. Collect the security-related information required for metrics, assessments, and reporting.

Answer C) Define an ISCM strategy based on risk tolerance https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

C. Define an ISCM strategy based on risk tolerance. Strategy comes always before establishing a program.

C. Define an ISCM strategy based on risk tolerance. When developing an Information Security Continuous Monitoring (ISCM) program, the first step is to define an ISCM strategy based on the organization's risk tolerance. This involves assessing the organization's risk appetite, understanding its security objectives, and determining the level of risk it is willing to accept.

reference : NIST SP 800-137

Information Security Continuous Monitoring Reference Continuous monitoring can be a ubiquitous term as it means different things to different professions. NIST SP 800-137 sets forth a standard to follow when applying the principle in the risk management framework utilizing the NIST control set. The primary process for implementing ISCM is to: 1 - Define the ISCM strategy 2 - Establish an ISCM program 3 - Implement an ISCM program 4 - Analyze data and report findings 5 - Respond to findings 6 - Review and update the monitoring program and strategy Factored into this is the use of manual and automated checks to provide continuous updates and feedback to the system as a whole.

You have to start with strategy

C is correct which from the CISSP Cert guide 2022: According to NIST SP 800-137, ISCM is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Organizations should take the following steps to establish, implement, and maintain ISCM: 1. Define an ISCM strategy based on risk tolerance that maintains clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts. 2. Establish an ISCM program that includes metrics, status monitoring frequencies, control assessment frequencies, and an ISCM technical architecture.

C is correct, the first step would be to define an ISCM strategy based on risk tolerance. B would be the second step.

I chose B but seems C includes B