| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 5.5 - Using Security Baselines
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues Domain 2 with security baselines — the practice of giving every system a trustworthy, secure starting point instead of building protection from a blank page, and the steps that shape a generic set of controls into one that genuinely fits an organization and the rules it must obey.
What this episode covers
- What a security baseline is — an agreed minimum set of controls, often enforced by imaging and automated drift checks.
- Impact levels and control strength — low, moderate, and high tiers set the weight, with a privacy baseline layered on for personal data.
- Tailoring — adjusting the baseline to fit, tuning values, filling gaps, and swapping in compensating controls.
- Scoping — trimming controls that do not apply, with every removal justified in writing.
- Honoring external standards — non-negotiable outside rules, from payment card requirements to regional privacy laws.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is a security baseline?
An agreed minimum set of controls that every in-scope system must meet, giving you a consistent, secure starting point instead of improvising each time. A common way to enforce one is imaging: you harden a single machine, capture it as a template, and stamp that same secure image onto every new device. Automated checks then run in the background and quietly reapply any setting that drifts out of line.
How do impact levels shape the controls you pick?
By matching the strength of protection to what is at stake. A widely used framework sorts systems into low, moderate, and high impact based on the harm a compromise would cause, and the levels build upward, so a high-impact system inherits everything below it plus its own additions. There is also a dedicated privacy baseline for any system handling personal data, which you layer on top of the others.
What is tailoring?
Adjusting the baseline so it truly fits your organization, like buying a suit off the rack and having it altered to fit your exact frame. It means tuning control values, adding what the baseline missed, and swapping in compensating controls where the standard option will not work. For example, you might tighten a lockout policy from five failed attempts down to three.
What is scoping, and how does it fit in?
Scoping is the trimming step inside tailoring, where you walk through the baseline and keep only the controls that actually apply to the system in front of you. If a machine never allows two people to sign in at the same time, a control policing simultaneous sessions is pointless, so you scope it out. But every removal must be justified in writing, so no control quietly vanishes without a reason.
Why must you still honor external standards?
Because some requirements are not yours to negotiate away. Handle payment cards, and the payment card industry standard sets terms you must follow; process the personal data of people in certain regions, and their privacy law binds you too. Not every rule applies to every organization, so identify which ones govern you, then make sure your tailored baseline fully satisfies each of them.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 5.5 - Using Security Baselines.