nerdexam
(ISC)2

CISSP · Question #288

A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the

The correct answer is A. Asset Management, Business Environment, Governance and Risk Assessment. The NIST Cybersecurity Framework organizes security activities into five core functions, each containing specific control categories. A low maturity in the 'Identify' function points to deficiencies in the categories that fall under it.

Submitted by packet_pusher· Mar 5, 2026Security and Risk Management

Question

A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually?

Options

  • AAsset Management, Business Environment, Governance and Risk Assessment
  • BAccess Control, Awareness and Training, Data Security and Maintenance
  • CAnomalies and Events, Security Continuous Monitoring and Detection Processes
  • DRecovery Planning, Improvements and Communications

How the community answered

(43 responses)
  • A
    74% (32)
  • B
    14% (6)
  • C
    2% (1)
  • D
    9% (4)

Why each option

The NIST Cybersecurity Framework organizes security activities into five core functions, each containing specific control categories. A low maturity in the 'Identify' function points to deficiencies in the categories that fall under it.

AAsset Management, Business Environment, Governance and Risk AssessmentCorrect

The NIST CSF 'Identify' function encompasses the control categories of Asset Management (ID.AM), Business Environment (ID.BE), Governance (ID.GV), Risk Assessment (ID.RA), and Risk Management Strategy (ID.RM). These categories focus on developing organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Improving these areas directly addresses the low maturity score in the Identify function.

BAccess Control, Awareness and Training, Data Security and Maintenance

Access Control, Awareness and Training, Data Security, and Maintenance are control categories belonging to the 'Protect' function of the NIST CSF, not the 'Identify' function, and the company already scores high in Protect.

CAnomalies and Events, Security Continuous Monitoring and Detection Processes

Anomalies and Events, Security Continuous Monitoring, and Detection Processes are control categories within the 'Detect' function of the NIST CSF, which the company already has a high maturity rating for.

DRecovery Planning, Improvements and Communications

Recovery Planning, Improvements, and Communications are control categories that belong to the 'Recover' function of the NIST CSF, in which the company already demonstrates high maturity.

Concept tested: NIST CSF Identify function control categories

Source: https://www.nist.gov/cyberframework/framework

Topics

#NIST Cybersecurity Framework#risk management#asset management#governance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice