| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 1.5 - Manage the Security Function (Part 2 of 2)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the security function in Domain 1, turning to the frameworks that give it structure. It surveys the major named frameworks a security professional is expected to recognize, what each one is built for, and the twin habits of diligence that back them all up.
What this episode covers
- Security control frameworks — proven structures of guidelines, standards, best practices, and controls to adopt, not invent.
- ISO/IEC 27000 family — worldwide standards forming a broad basis for organizational security and management.
- NIST publications — a US federal reference for security and privacy controls, plus risk management and cybersecurity frameworks.
- COBIT and SABSA — mapping security to business objectives, and risk-driven enterprise security architecture.
- PCI DSS — card-brand requirements protecting credit and debit card data, enforced through audits.
- FedRAMP — standardized assessment, authorization, and continuous monitoring of cloud services for US federal use.
- ITIL — best practices for aligning IT services and security with business goals.
- Due diligence and due care — planning what should be done versus doing it, together disproving negligence.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is a security control framework?
It is a structured set of guidelines, standards, best practices, and controls that helps an organization manage and strengthen its security posture. Rather than inventing controls yourself, you adopt a proven structure for identifying, implementing, and monitoring them across your data, systems, and networks. Several organizations publish and maintain these frameworks, each with its own focus.
What is the ISO/IEC 27000 family of security standards?
It comes from the International Organization for Standardization, working alongside the International Electrotechnical Commission. These are worldwide standards drawn up by representatives from national standards bodies, and the security-focused 27000 family gives you a broad basis for building organizational security and its supporting management practices. These standards are widely accepted across industries, and some governments have even adopted them as requirements.
What is COBIT, and who is it for?
COBIT is a documented set of IT security best practices from the professional body ISACA. It lays out goals and requirements for controls and pushes you to map security ideals directly onto business objectives, resting on principles for governing and managing enterprise technology — from delivering stakeholder value to keeping governance distinct from management. Auditors lean on it heavily as a guideline.
What problem does PCI DSS solve?
PCI DSS is a set of security requirements built by the major card brands to protect credit and debit card data. It covers secure handling of cardholder data, strong network security, tight access on a need-to-know basis, continuous monitoring and testing, and clear incident response. Any entity that processes card transactions must comply, and failure can bring fines, lost processing privileges, and reputational damage.
What do due diligence and due care really mean?
They are the twin habits that prove you took security seriously. Due diligence is understanding what needs to happen and laying the groundwork for it — building the formal structure of policy, standards, baselines, guidelines, and procedures. Due care is carrying out the correct steps when they are called for, actually applying that structure day after day. One is planning, the other is disciplined practice, and together they let you disprove negligence when a loss occurs.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 1.5 - Manage the Security Function (Part 2 of 2).