nerdexam
(ISC)2

CISSP-ISSEP · Question #89

Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Which of the f

The correct answer is A. Organization of information security B. Human resources security C. Risk assessment and treatment. Options A, B, and C are domains found within ISO/IEC 27001/27002, the internationally recognized information security standards published by the International Organization for Standardization (ISO). "Organization of information security," "Human resources security," and "Risk ass

Governance and Training

Question

Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Which of the following are the international information security standards? Each correct answer represents a complete solution. Choose all that apply.

Options

  • AOrganization of information security
  • BHuman resources security
  • CRisk assessment and treatment
  • DAU audit and accountability

How the community answered

(35 responses)
  • A
    91% (32)
  • D
    9% (3)

Explanation

Options A, B, and C are domains found within ISO/IEC 27001/27002, the internationally recognized information security standards published by the International Organization for Standardization (ISO). "Organization of information security," "Human resources security," and "Risk assessment and treatment" are all established control domains or processes defined within this framework, which is adopted globally across industries and governments.

Option D is incorrect because "AU - Audit and Accountability" is a control family from NIST SP 800-53, a US federal government framework published by the National Institute of Standards and Technology. The two-letter prefix ("AU") is a telltale sign of NIST's naming convention, not ISO's domain structure - making it a US national standard rather than an international one.

Memory tip: Think ISO = International - if the control sounds like a plain-English domain name (e.g., "Human Resources Security"), it likely belongs to ISO 27001/27002. If you see a two-letter code prefix like AU, AC, IA, or SC, that's NIST SP 800-53 territory. Spotting that prefix on the exam immediately rules out "international standard."

Topics

#Information Security Standards#ISO 27000 Series#Security Frameworks#Risk Management

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice