Framework Identification

Question 1

A company is designing a system of internal controls to ensure the accuracy and reliability of financial reporting, including oversight by management and monitoring of control effectiveness. Which framework would be most appropriate?

Answer 1

COSO — Control Environment & Monitoring Activities

Why:
COSO is the primary framework for internal control over financial reporting (ICFR).

Control Environment → tone at the top

Monitoring → ensuring controls continue to operate effectively

Question 2

An organization wants to ensure its IT systems align with overall business objectives, while also managing IT risks and performance. Which framework should it use?

Answer 2

COBIT — Governance & Management Objectives

Why:
COBIT focuses on IT governance, making sure IT supports business goals and risks are managed appropriately.

Question 3

A company is building a cybersecurity program and needs a structured approach to identify threats, protect systems, detect attacks, and recover from incidents. Which framework is most appropriate?

Answer 3

National Institute of Standards and Technology — Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover)

Why:
NIST CSF is designed specifically for managing cybersecurity risk across the full lifecycle.

Question 4

A company wants to demonstrate to external stakeholders that it follows internationally recognized information security practices and is willing to undergo formal certification. Which framework should it adopt?

Answer 4

International Organization for Standardization 27001 — Information Security Management System (ISMS)

Why:
ISO 27001 provides a formal, certifiable security standard, often used to prove security maturity to customers and regulators.

Question 5

A company is evaluating whether its IT controls support reliable financial reporting, including access controls and change management. Which framework is most relevant?

Answer 5

COSO — Information & Communication + Control Activities

Why:
Even though IT is involved, the objective is financial reporting reliability, which points to COSO (not COBIT).
COBIT would be used if the focus were broader IT governance.

Question 6

An organization wants a flexible framework to improve its cybersecurity posture internally, without needing formal certification. Which should it use?

Answer 6

National Institute of Standards and Technology — Cybersecurity Framework

Why:
NIST is guidance-based and flexible, unlike ISO which is formal and certifiable.

Question 7

A service organization wants to provide ongoing assurance to customers about internal controls over time, but not necessarily obtain a formal certification. What should it use?

Answer 7

SOC 2 Type 2 (not ISO)

Why:

ISO = certification

SOC 2 = assurance report over controls
This distinction shows up often in ISC sims.

Question 8

Management is emphasizing ethical behavior, integrity, and accountability across the organization. Which framework component does this relate to?

Answer 8

COSO — Control Environment

Why:
Control Environment = tone at the top, ethics, governance foundation.

Question 9

A company wants a prioritized, practical checklist of specific security actions (e.g., inventory devices, control admin privileges, continuous vulnerability management) to quickly improve its cybersecurity posture. Which framework is most appropriate?

Answer 9

Center for Internet Security Controls

Why:
CIS Controls are:

Action-oriented

Prioritized (18 controls)

Designed for implementation, not just guidance

Think:
👉 “What should we do first to be secure?”

Question 10

A federal contractor must implement detailed, specific security controls to comply with government requirements, including access control policies, audit logging, and system integrity controls. Which framework should be used?

Answer 10

National Institute of Standards and Technology SP 800-53 — Security Control Catalog

Why:
NIST SP 800-53 provides:

Detailed control requirements

Used heavily by government and regulated entities

Much more granular than NIST CSF

Question 11

An organization wants a high-level framework to organize its cybersecurity program, but does not need detailed control specifications. Which should it use?

Answer 11

National Institute of Standards and Technology Cybersecurity Framework (CSF)

Why:

NIST CSF = high-level structure (Identify–Protect–Detect–Respond–Recover)

NIST SP 800-53 = detailed control list

Question 12

A small-to-midsize company wants a simple, prioritized set of cybersecurity actions rather than a comprehensive framework. Which is best?

Answer 12

Center for Internet Security Controls

Why:
CIS is:

Simpler than NIST

More practical and implementation-focused

Designed for quick adoption

Question 13

A company is concerned that its IT function is not aligned with business strategy, and leadership wants stronger governance over IT decisions. Which framework should be implemented?

Answer 13

COBIT — Governance Objectives

Why:

COBIT = IT governance and alignment

NIST = security, not governance

Question 14

An organization wants to obtain formal certification for its information security program rather than just implement detailed controls. Which should it choose?

Answer 14

International Organization for Standardization 27001 — ISMS

Why:

ISO = certification

NIST SP 800-53 = control catalog (no certification)

Question 15

An auditor notes that a company:

Maintains an inventory of authorized devices

Controls use of administrative privileges

Continuously monitors vulnerabilities

Which framework are these controls most closely associated with?

Answer 15

Center for Internet Security Controls

Why:
These are signature CIS controls—very practical, specific security actions.

Question 16

Center for Internet Security Controls

Why:
These are signature CIS controls—very practical, specific security actions.

Answer 16

National Institute of Standards and Technology SP 800-53

Why:
Those two-letter control families are a hallmark of NIST SP 800-53.

Question 17

A company wants a framework to ensure internal controls over financial reporting are properly designed and monitored.

Answer 17

COSO

Why:
COSO is the primary framework for internal control over financial reporting (ICFR)—it covers design, implementation, and monitoring of controls.

Question 18

An organization needs a structured approach to identify, detect, respond to, and recover from cyber threats.

Answer 18

National Institute of Standards and Technology Cybersecurity Framework

Why:
This is literally the NIST CSF lifecycle: Identify → Protect → Detect → Respond → Recover.

Question 19

A company wants a prioritized list of specific security actions like controlling admin privileges and inventorying devices.v

Answer 19

A company wants a prioritized list of specific security actions like controlling admin privileges and inventorying devices.

Question 20

A federal contractor must implement detailed, categorized security controls such as AC (Access Control) and AU (Audit & Accountability).

Answer 20

National Institute of Standards and Technology SP 800-53

Why:
NIST SP 800-53 is a detailed control catalog, commonly required for government and regulated environments.

Question 21

Management wants to ensure IT strategy aligns with business objectives and risk management goals.

Answer 21

COBIT

Why:
COBIT focuses on IT governance, ensuring IT supports business strategy and manages risk.

Question 22

An organization wants a flexible cybersecurity framework but does NOT need detailed control requirements.

Answer 22

National Institute of Standards and Technology Cybersecurity Framework

Why:
NIST CSF is high-level and flexible, unlike SP 800-53 which is highly detailed.

Question 23

A company wants to demonstrate to customers that it meets internationally recognized security standards and obtain certification.

Answer 23

International Organization for Standardization 27001

Why:
ISO 27001 is a formal, certifiable information security standard used for external credibility.

Question 24

A company is implementing controls to ensure ethical behavior, strong governance, and tone at the top.

Answer 24

COSO — Control Environment

Why:
The Control Environment component of COSO focuses on ethics, integrity, and governance culture.

Question 25

An organization wants very detailed, prescriptive security controls but does NOT care about certification.

Answer 25

National Institute of Standards and Technology SP 800-53 Why: SP 800-53 provides specific, prescriptive controls, while ISO is used for certification.

Question 26

A small company wants a simple, practical way to quickly improve cybersecurity without complexity.

Answer 26

Center for Internet Security Controls Why: CIS Controls are designed to be simple, actionable, and easy to implement, especially for smaller organizations.

Question 27

A company wants to ensure all employees are aware of ethical standards, management sets the tone for integrity, and internal audits are monitored regularly.

Answer 27

COSO — Control Environment Why: The Control Environment establishes the ethical foundation and tone at the top, critical for reliable internal controls.

Question 28

Management wants to track whether IT projects are delivering business value, align IT with corporate goals, and ensure proper oversight over IT risks.

Answer 28

COBIT — Governance & Management Objectives Why: COBIT ensures IT is aligned with business strategy and manages IT-related risks effectively.

Question 29

A company wants to prioritize cybersecurity improvements by first ensuring device inventory, restricting admin rights, and monitoring critical vulnerabilities.

Answer 29

Center for Internet Security Controls 1–6 (Inventory, Privilege Management, Continuous Vulnerability Management) Why: CIS Controls provide actionable, prioritized steps to improve security quickly and effectively.

Question 30

A federal contractor must implement detailed security controls across access, audit logs, and system integrity to comply with government requirements.

Answer 30

National Institute of Standards and Technology SP 800-53 — Security Control Catalog (AC, AU, SI families) Why: SP 800-53 is a detailed, prescriptive catalog of controls required for regulated entities.

Question 31

An organization wants a high-level, flexible cybersecurity framework to organize its Identify → Protect → Detect → Respond → Recover activities.

Answer 31

National Institute of Standards and Technology Cybersecurity Framework (CSF) Why: NIST CSF provides a strategic, flexible approach to manage cybersecurity risk across the entire lifecycle.

Question 32

During an audit, a team observes that developers can move code to production without approval. Management wants to fix the gap to prevent unauthorized changes.

Answer 32

COSO — Control Activities Why: Control Activities ensure policies and procedures are enforced, preventing unauthorized or risky actions.

Question 33

A company wants to show customers and regulators that it follows internationally recognized information security practices and can obtain formal certification.

Answer 33

International Organization for Standardization 27001 — Information Security Management System (ISMS) Why: ISO 27001 is a formal, certifiable security standard, ideal for external assurance.

Question 34

A company is reviewing whether IT controls over financial reporting—like access restrictions and change management—are effective.

Answer 34

COSO — Information & Communication / Control Activities Why: COSO covers design, implementation, and monitoring of controls, including IT-related controls impacting financial reporting.

Question 35

A small business wants a practical set of cybersecurity actions that can be implemented quickly without complex governance structures.

Answer 35

Center for Internet Security Controls — Implementation Groups 1–2 Why: CIS Controls provide simple, high-impact actions perfect for small or medium-sized organizations.

Question 36

A federal contractor needs to demonstrate continuous compliance with specific security requirements for sensitive information and show detailed control adherence.

Answer 36

National Institute of Standards and Technology SP 800-53 — Continuous Monitoring & Security Control Families Why: SP 800-53 supports detailed, ongoing compliance monitoring, ensuring regulatory and security requirements are met.

Question 37

A company is designing controls to ensure accurate financial reporting and reliable accounting systems.

Answer 37

COSO — Control Activities Why: Control Activities are the actual policies/procedures that ensure transactions are properly processed.

Question 38

Management is focused on identifying enterprise-wide risks, including strategic and operational risks, not just financial reporting.

Answer 38

COSO ERM — Risk Assessment Why: COSO ERM expands beyond ICFR to enterprise-wide risk management, including strategy.

Question 39

A company is evaluating risks related to migrating systems to the cloud, including vendor dependency and data security.

Answer 39

COSO ERM for Cloud — Risk Identification & Assessment Why: COSO ERM for Cloud focuses on cloud-specific risks like third-party reliance and data exposure.

Question 40

A company wants to ensure IT investments deliver value and align with business goals.

Answer 40

COBIT — Governance Objectives Why: COBIT ensures IT supports business strategy and performance.

Question 41

An organization is structuring its cybersecurity program around Identify, Protect, Detect, Respond, Recover.

Answer 41

National Institute of Standards and Technology CSF Why: That 5-step lifecycle is the core of NIST CSF.

Question 42

A company wants to integrate risk management into strategic planning and decision-making.

Answer 42

COSO ERM — Strategy & Objective-Setting Why: COSO ERM links risk with strategy, not just controls.

Question 43

A company wants to ensure relevant information flows to the right people for decision-making.

Answer 43

COSO — Information & Communication Why: This component ensures data is communicated effectively.

Question 44

A company is implementing a program to detect and respond to cybersecurity incidents quickly.

Answer 44

National Institute of Standards and Technology CSF — Detect & Respond Why: These are core NIST CSF functions.

Question 45

A company wants to ensure only authorized users have access to systems and privileges are limited appropriately.

Answer 45

Center for Internet Security Controls — Access Control Management Why: CIS emphasizes practical access restriction and privilege control.