nerdexam
(ISC)2

CISSP · Question #1078

What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM) program?

The correct answer is D. Define an ISCM strategy based on risk tolerance.. Developing an ISCM program follows a defined six-step process per NIST SP 800-137, where defining a risk-based strategy is the foundational first step before any implementation or data collection occurs.

Submitted by certguy· Mar 5, 2026Security and Risk Management

Question

What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM) program?

Options

  • AEstablish an ISCM technical architecture.
  • BCollect the security-related information required for metrics, assessments, and reporting.
  • CEstablish an ISCM program determining metrics, status monitoring frequencies, and control
  • DDefine an ISCM strategy based on risk tolerance.

How the community answered

(14 responses)
  • B
    14% (2)
  • C
    7% (1)
  • D
    79% (11)

Why each option

Developing an ISCM program follows a defined six-step process per NIST SP 800-137, where defining a risk-based strategy is the foundational first step before any implementation or data collection occurs.

AEstablish an ISCM technical architecture.

Establishing the ISCM technical architecture is a later implementation step (Step 3 in NIST SP 800-137) that occurs after the strategy and program details have already been defined.

BCollect the security-related information required for metrics, assessments, and reporting.

Collecting security-related information for metrics, assessments, and reporting is Step 5 in the ISCM process, occurring only after the strategy, program, and technical architecture have been established.

CEstablish an ISCM program determining metrics, status monitoring frequencies, and control

Establishing the ISCM program by determining metrics, monitoring frequencies, and control assessment frequencies is Step 2, which follows the initial strategy definition and relies on the risk tolerance already identified in Step 1.

DDefine an ISCM strategy based on risk tolerance.Correct

According to NIST SP 800-137, the first step in the ISCM process is to define an ISCM strategy based on the organization's risk tolerance, mission, and business needs. This strategy establishes the overarching direction and priorities that guide all subsequent steps, ensuring that monitoring activities are aligned with organizational risk decisions before metrics, architectures, or data collection are configured.

Concept tested: NIST SP 800-137 ISCM program development first step

Source: https://csrc.nist.gov/publications/detail/sp/800-137/final

Topics

#continuous monitoring#ISCM#risk tolerance#security strategy

Community Discussion

No community discussion yet for this question.

Full CISSP Practice