Certifications and Standards

Question 1

What are the ISO Standards for Information Security?

Answer 1

ISO/IEC 27001: Information Security Management System (ISMS)
ISO/IEC 27002: Code of Practice for Information Security Controls
ISO/IEC 27004: Information Security Management — Monitoring, Measurement, Analysis, and Evaluation
ISO/IEC 27005: Information Security Risk Management
ISO/IEC 27017: Code of Practice for Information Security Controls for Cloud Services
ISO/IEC 27035: Information Security Incident Management

Question 2

What are the ISO Standards for Privacy?

Answer 2

ISO/IEC 27701: Privacy Information Management System (PIMS)
ISO/IEC 27018: Code of Practice for Protecting Personal Data in the Cloud
ISO/IEC 29100: Privacy Framework
ISO/IEC 29134: Guidelines for Privacy Impact Assessment (PIA)

Question 3

ISO/IEC 27001

Answer 3

ISO/IEC 27001: Information Security Management System (ISMS)

Requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
Organizations can be certified to ISO/IEC 27001, demonstrating their commitment to information security management to stakeholders.

Question 4

ISO/IEC 27002

Answer 4

ISO/IEC 27002: Code of Practice for Information Security Controls

Guidelines for implementation, and management of security controls.
It includes 114 controls organized in 14 control clauses and 35 control objectives. Security controls are access control, cryptography, physical and environmental security, incident management, etc.

Question 5

ISO/IEC 27005

Answer 5

ISO/IEC 27005: Information Security Risk Management.
Guidelines for ISRM, supporting the overall ISMS as per ISO/IEC 27001.

Comparing with NIST RMF, it does not prescribe specific risk assessment methodologies but supports various approaches, such as qualitative, quantitative, or hybrid assessments. It is used internationally across various industries, not just government.

Question 6

ISO/IEC 27701

Answer 6

ISO/IEC 27701: Privacy Information Management System (PIMS)
Extension to ISO/IEC 27001 and ISO/IEC 27002, it provides guidance on establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).
Requirements and guidance for protecting privacy, managing personal data, and demonstrating compliance with data protection regulations like GDPR.

Question 7

ISO/IEC 27017

Answer 7

ISO/IEC 27017: Code of Practice for Information Security Controls for Cloud Services

Purpose: This standard provides guidelines for information security controls applicable to the provision and use of cloud services.
Key Components: It includes specific controls and implementation guidance tailored to cloud service environments, addressing both cloud service providers and cloud service customers.

Question 8

ISO/IEC 27018

Answer 8

ISO/IEC 27018: Code of Practice for Protecting Personal Data in the Cloud

Purpose: This standard focuses on the protection of personal data in cloud computing environments for cloud service providers.
Controls and guidelines for implementing measures to protect personal data, ensure compliance with legal and regulatory requirements, and manage cloud-specific risks.

Question 9

ISO/IEC 27035

Answer 9

ISO/IEC 27035: Information Security Incident Management

Purpose: This standard provides guidelines for the detection, reporting, assessment, and response to information security incidents.
Key Components: It includes a structured approach to managing and responding to incidents, helping organizations to minimize the impact of security breaches.

Question 10

ISO/IEC 29100

Answer 10

ISO/IEC 29100: Privacy Framework

Purpose: This standard provides a framework for the protection of privacy in the context of processing personal data.
Key Components: It includes principles, actors, and controls for privacy and data protection, offering a foundation for developing and implementing privacy policies.

Question 11

ISO/IEC 27004

Answer 11

ISO/IEC 27004: Information Security Management — Monitoring, Measurement, Analysis, and Evaluation
Purpose: This standard provides guidelines on how to assess the effectiveness of an ISMS and the controls in place.
Key Components: It includes methodologies for monitoring, measuring, analyzing, and evaluating the performance of the ISMS.

Question 12

ISO/IEC 29134

Answer 12

ISO/IEC 29134: Guidelines for Privacy Impact Assessment (PIA)
Purpose: This standard provides guidelines for conducting privacy impact assessments (PIAs) to assess the impact of data processing on privacy.
Key Components: It includes a process for identifying and mitigating privacy risks associated with processing personal data.

Question 13

What is ISO?

Answer 13

International Organization for Standardization. ISO standards provide comprehensive frameworks and guidelines for organizations to enhance their information security and privacy practices, ensuring robust protection of information assets and personal data. Implementing these standards helps organizations to manage risks effectively, comply with legal and regulatory requirements, and build trust with stakeholders.

Question 14

What is NIST?

Answer 14

National Institute of Standards and Technology. Since 1901 , it is a U.S. federal agency under the DoC that develops technology, metrics, and standards to drive innovation and economic competitiveness.

Question 15

What are the most important NIST Standards?

Answer 15

• NIST SP 800-30: Guide for Conducting Risk Assessments
• NIST SP 800-37: Risk Management Framework for Information Systems and Organizations
• NIST SP 800-39: Managing Information Security Risk
• NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-161: Cybersecurity Supply Chain Risk Management
• NIST SP 800-171: Protecting CUI in Nonfederal Systems and Organizations
• NIST CSF 2.0
• NIST SP 800-218: SSDF

Question 16

NIST SP 800-218

Answer 16

NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1

Set of high-level secure software development practices that can be integrated into each SDLC implementation. The goals are to reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.

Question 17

NIST SP 800-53

Answer 17

SP 800-53: Security and Privacy Controls for Information Systems and Organizations.

Provides a catalog of security and privacy controls for federal information systems and organizations. It includes guidelines for selecting and specifying security controls for information systems supporting executive agencies of the U.S. federal government.

Question 18

NIST SP 800-171

Answer 18

NIST SP 800-171 r3: Protecting CUI in Nonfederal Systems and Organizations

Provides guidelines on protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. CUI is a category of information in the United States that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, but which is not classified under Executive Order 13526 (“Classified National Security Information”).

Question 19

NIST SP 800-30

Answer 19

NIST SP 800-30 r1: Guide for Conducting Risk Assessments.

It provides guidance for risk assessments and provides the methodology for identifying, analyzing, and prioritizing risks. It is part of the broader NIST RMF with 800-37 and 39.

FISMA mandates agencies to conduct regular risk assessments.

Question 20

NIST SP 800-37

Answer 20

NIST SP 800-37 r2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

It also part of the Risk Management Framework (RMF) and defines the six-step RMF process for managing security risks.
Risk assessment findings from NIST 800-30 inform security control selection in NIST 800-37’s RMF.

FISMA requires continuous monitoring and a formal security authorization process.

Question 21

NIST SP 800-39

Answer 21

SP 800-39: Managing Information Security Risk.

It expands the RMF by providing guidance on enterprise-wide risk management and defines risk tolerance and risk governance.

FISMA requires agencies to consider organizational-level risk and not just IT system risk.

Question 22

NIST SP 800-88

Answer 22

NIST SP 800-88, Revision 1, Guidelines for Media Sanitization, describes the best practices for combating data remanence.

Question 23

NIST SP 800-161

Answer 23

NIST SP 800-161: Cybersecurity Supply Chain Risk Management.

It aims to help federal agencies manage supply chain risks by incorporating supply chain risk management (SCRM) practices into their overall risk management activities. This involves identifying, assessing, and mitigating risks that arise from the global and complex nature of supply chains.

Question 24

NIST CSF 2.0

Answer 24

A voluntary framework that provides a policy framework of computer security guidance for how private sector organizations in the U.S. can assess and improve their ability to prevent, detect, and respond to cyber attacks.

Question 25

What is CIS Controls?

Answer 25

Center for Internet Security controls. One of the simplest frameworks for companies of all sizes, it provides a set of best practices for securing IT systems and data against cyber threats. The controls are designed to mitigate the most prevalent and dangerous cyber attacks.

Question 26

What is PCI DSS?

Answer 26

PCI DSS: Payment Card Industry Data Security Standard Purpose: Establishes requirements for organizations that handle branded credit cards from the major card schemes, including Visa, MasterCard, American Express, Discover, and JCB. Key Components: Includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.

Question 27

What is GDPR?

Answer 27

GDPR: General Data Protection Regulation EU law/regulation on data protection and privacy for all individuals within the European Union and the European Economic Area. Sets out principles for data management and the rights of individuals, with provisions for data breach notifications, the appointment of data protection officers, and strong penalties for non-compliance.

Question 28

What is HIPAA?

Answer 28

HIPAA: Health Insurance Portability and Accountability Act U.S. legislation that provides data privacy and security provisions for safeguarding medical information.

Question 29

What is COBIT?

Answer 29

COBIT: Control Objectives for Information and Related Technologies A framework for developing, implementing, monitoring, and improving IT governance and management practices.

Question 30

What is FISMA?

Answer 30

FISMA: Federal Information Security Management Act U.S. legislation aimed at improving the security of federal information systems and networks.

Question 31

Regulation from India

Answer 31

Information Technology Act, 2000 (IT Act) and Amendments Purpose: The primary law governing cyber activities in India, including data protection, cybercrime, and electronic commerce. Personal Data Protection Bill (PDPB) (pending legislation) Purpose: A comprehensive data protection law aiming to protect personal data and establish a data protection authority in India.

Question 32

Regulations from China

Answer 32

Cybersecurity Law (CSL) Purpose: To enhance the security of network products and services and protect personal information. Data Security Law (DSL) Purpose: To regulate data processing activities and ensure data security. Personal Information Protection Law (PIPL) Purpose: To protect personal information and regulate its processing.

Question 33

Regulations from the USA

Answer 33

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA): to enhance privacy rights and consumer protection for residents of California. Health Insurance Portability and Accountability Act (HIPAA): to protect sensitive patient health information. Cybersecurity Information Sharing Act (CISA): to improve cybersecurity through enhanced sharing of information about cybersecurity threats. FISMA: Federal Information Security Management Act: U.S. legislation aimed at improving the security of federal information systems and networks.

Question 34

Regulations from the European Union

Answer 34

General Data Protection Regulation (GDPR) Purpose: To protect personal data and privacy of EU citizens and harmonize data protection laws across member states. Network and Information Systems (NIS) Directive Purpose: To improve the cybersecurity capabilities of EU member states and ensure the resilience of critical infrastructure. Digital Operational Resilience Act (DORA) (proposed legislation) Purpose: To establish a framework for digital operational resilience in the financial sector.

Question 35

Regulations from the United Kingdom

Answer 35

UK-GDPR (UK General Data Protection Regulation) Data Protection Act (DPA) 2018 Purpose: To supplement the GDPR and provide a comprehensive data protection framework. National Cyber Security Centre (UK NCSC) Purpose: To enhance the UK’s cybersecurity posture.

Question 36

What is FRAP?

Answer 36

Facilitated Risk Analysis Process (FRAP), a qualitative risk assessment methodology focused on reducing costs. No probability numbers or annualized loss expectancy values are used. The criticalities of the risks are determined by the team members’ experience. The goal is to keep the scope of the assessment small and the assessment processes simple.

Question 37

What is OCTAVE?

Answer 37

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), is a methodology intended to be used when people manage and direct the risk evaluation for information security within their organization. It relies on the idea that the people working inside the organization/environment best understand what is needed and what kind of risks they are facing. OCTAVE stresses a self-directed team approach.

Question 38

What is FMEA

Answer 38

Failure Modes and Effect Analysis (FMEA) is a technique used in risk management and security assessment. This method identifies possible functional failures, and assesses their causes and effects (severity) for prioritization. It is commonly used in development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break.

Question 39

What is FTA?

Answer 39

Fault Tree Analysis is a technique used in risk management and security assessment commonly used in more complex systems. The undesired effect is taken as the root or top event of a tree of logic, and then breaks down all potential contributing factors using a logical AND/OR structure.

Question 40

What is FAIR?

Answer 40

The FAIR Institute’s Factor Analysis of Information Risk framework focuses on more precisely measuring the probabilities of incidents and their impacts.

Question 41

What is TOGAF?

Answer 41

The Open Group Architecture Framework is a model and methodology for the development of enterprise architectures.

Question 42

What is Zachman?

Answer 42

Zachman Framework This is a model for the development of enterprise architectures, developed by John Zachman.

Question 43

COBIT 5

Question 44

ISO 31000

Question 45

PCI/DSS

Question 46

ISACA Risk IT