Effective CISSP Questions

As a system owner, you are selecting controls for the information system and the environment of operation based on the NIST Risk Management Framework (RMF). Which of the following best describes the process of applying scoping considerations (or scoping for short) when tailoring the selected controls? (Wentz QOTD)
A. Scoping identifies and designates common controls from the baseline
B. Scoping justifies why a security control is included in or excluded from the baseline
C. Scoping deals with selecting compensating controls
D. Scoping consider supplementing baselines with additional controls

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Scoping justifies why a security control is included in or excluded from the baseline.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Security Control Selection Process
Security Control Selection Process (Source: NIST SP 800-53 R4)

According to the NIST RMF, applying scoping considerations (or scoping for short) is part of the tailoring process, which is conducted after baseline controls are selected.

  • As some controls in the selected controls are shared by information systems, there is no need to implement those common controls again.
  • Applying scoping considerations means justifying the inclusion or exclusion of controls into or from the selected controls. It’s quite similar to preparing the statement of applicability (SoA) in ISO 27001.
  • Compensating controls can be alternatives to some selected controls that are necessary but infeasible.
  • Baseline controls selected from the NIST RMF (NSIT SP 800-53B specifically) come with various parameters. These parameters need to be filled out with specific values.
  • The selected controls can be expanded or supplemented with additional controls based on the result of risk assessment.


作為系統所有者,您正在根據 NIST 風險管理框架 (RMF) 為信息系統和操作環境選擇控制措施。 以下哪項最能描述在定制(tailoring)選定控件時,應用範圍(scoping)考量(或簡稱定範圍)的過程? (Wentz QOTD)
A. 範圍界定(scoping)從基線中識別和指定共同(common)控制
B. 範圍界定證明了為什麼基線中包含或排除了安全控制
C. 範圍界定涉及選擇補償(compensating)控制
D. 範圍界定考慮用額外的控制來補充基線

Leave a Reply