Effective CISSP Questions

Security control frameworks typically provide hundreds of security controls grouped into various types, categories, or families for organizations to mitigate information security risks. Which of the following is the least common security control type, category, or family? (Wentz QOTD)
A. Cryptography
B. Access control
C. Program management
D. Review of the policies for information security

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Review of the policies for information security.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Security and Privacy Control Families
Security and Privacy Control Families (Source: NIST SP 800-53 R5)

“Review of the policies for information security” is an individual security control introduced in the ISO 27001 Annex A.5. Individual security controls are sorted into categories, types, families, or other buckets in security control frameworks, e.g., NIST RMF, ISO 27001, etc. FISP 200 mandates 17 security-related areas as the minimum security requirements. NIST RMF addresses them and adds three families: program management; assessment, authorization, and monitoring; and PII processing and transparency.

FIPS 200

  1. access control;
  2. awareness and training;
  3. audit and accountability;
  4. certification, accreditation, and security assessments;
  5. configuration management;
  6. contingency planning;
  7. identification and authentication;
  8. incident response;
  9. maintenance;
  10. media protection;
  11. physical and environmental protection;
  12. planning;
  13. personnel security;
  14. risk assessment;
  15. systems and services acquisition;
  16. system and communications protection;
  17. system and information integrity

ISO 27001 Annex A Controls

  • Annex A.5 – Information security policies (2 controls)
  • Annex A.6 – Organisation of information security (7 controls)
  • Annex A.7 – Human resource security (6 controls)
  • Annex A.8 – Asset management (10 controls)
  • Annex A.9 – Access control (14 controls)
  • Annex A.10 – Cryptography (2 controls)
  • Annex A.11 – Physical and environmental security (15 controls)
  • Annex A.12 – Operations security (14 controls)
  • Annex A.13 – Communications security (7 controls)
  • Annex A.14 – System acquisition, development and maintenance (13 controls)
  • Annex A.15 – Supplier relationships (5 controls)
  • Annex A.16 – Information security incident management (7 controls)
  • Annex A.17 – Information security aspects of business continuity management (4 controls)
  • Annex A.18 – Compliance (8 controls)


安全控制框架通常為組織提供數百個分組為各種類型、類別或家族的安全控制,以減輕信息安全風險。 以下哪一項是最不常見的安全控制類型、類別或系列? (Wentz QOTD)
A. 密碼學
B. 訪問控制
C. 計晝(program)管理
D. 審查信息安全政策

Leave a Reply