Exam SY0-601 topic 1 question 35 discussion

ISO 31000 The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for risk management from the International Organization for Standardization. Regulatory compliance initiatives are usually specific to a particular country and applicable to certain sized businesses or businesses in specific industries. However, ISO 31000 is designed to be used in organizations of any size. Its concepts work equally well in the public and the private sector, in large or small businesses and nonprofit organizations.

Depends how you define Security Analyst, if it's cyber then is NIST CSF, if he/she deals with general risk (not pnly cyber) then it's the ISO31000. God help us with Comptia style questions...

ISO 31000 is a risk management framework and NIST CSF is a cyber security framework. According to the question, we can get 2 words to get the very close answer: "standard" which is ISO 31000, second "risk" which is again ISO 31000, not NIST CSF.

In my opinion the answer is B: ISO 31000 is a family of standards related to risk management. It provides guidelines that organizations can adopt to manage risk.

According to professor Messer, NIST CSF industry standards has 3 cores. Framework Implementation addresses risks and processes to manage risk. ISO 31000 is an international standard for risk management. C is looking like the right answer unless the question needed an international standard. https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/security-frameworks/

The best source for a security analyst to use when developing a risk management program would be the ISO 31000 standard. This is a foundation standard on risk management that explains the fundamental concepts and principles of risk management, describes a framework, and outlines the processes of risk identification and management.

When it comes to developing a risk management program, the best source for the security analyst to use would be option C: NIST CSF (National Institute of Standards and Technology Cybersecurity Framework). The NIST CSF provides a comprehensive framework for managing and reducing cybersecurity risks. It offers a set of guidelines, best practices, and standards that organizations can follow to assess and improve their cybersecurity posture. It covers areas such as risk assessment, threat mitigation, and incident response. While options A, B, and D are also relevant in their respective domains, the NIST CSF is specifically designed to address cybersecurity risk management and is widely recognized and adopted by organizations worldwide.

ISO 31000 is an Standard and NIST CSF is a Cybersecurity Framework

Both NIST and ISO 31000 are solid choices, and the best one for you depends on your specific needs and context. If you're primarily focused on information security and want a detailed framework, NIST might be more suitable. On the other hand, if you're looking for a broader approach that can be applied across different types of risks, ISO 31000 is a great option.

Option B, "ISO 31000," is indeed a well-regarded international standard for risk management. However, it's a general risk management standard, and while it provides valuable principles and guidelines for risk management, it does not specifically focus on cybersecurity risk management. If the security analyst's primary goal is to develop a risk management program for cybersecurity and information security, then a more specific framework or standard like the NIST Cybersecurity Framework (NIST CSF) would be a more suitable reference. The NIST CSF is designed explicitly for managing and mitigating cybersecurity risks, providing detailed guidance on protecting critical information and infrastructure.

ISO 31000 — Risk management

Since the question refers to standard I will go with ISO 31000, if not the nist csf would have been my option

Did a little digging and the key phrase is "management program" and BEST. The main reason NIST is superior here is because ISO 31000 CANNOT be used for certification purposes whereas NIST CSF can be used: https://www.iso.org/iso-31000-risk-management.html Also NIST is free whereas ISO is not, so that's another advantage for NIST: https://www.auditboard.com/blog/nist-vs-iso-whats-the-difference/

ISO 31000 is an international standard for risk management issued by the International Organization for Standardization (ISO). It provides principles, framework, and guidelines for managing risks effectively and efficiently in any organization. The standard focuses on the entire risk management process and helps organizations identify, analyze, evaluate, treat, and monitor risks systematically.

ISO 32000 is a risk framework

ISO 31000 is an international standard that provides principles and guidelines for effective risk management. It offers a comprehensive framework that organizations can utilize to establish, implement, and continuously improve their risk management processes. The standard emphasizes a systematic and proactive approach to identifying, assessing, treating, and monitoring risks across the organization.

What is the difference between ISO 27001 and NIST CSF? It is a standard you follow and with guidelines that are dependent on your own organizational security needs. Both NIST and ISO 27001 have their own specific place in a security roadmap. NIST CSF is meant to guide your security needs, while ISO 27001 helps to prove your security.