Understanding control frameworks and the CISSP

Every modern organization needs control frameworks. These best practices aren't just about security; they also streamline the very nature of how you secure your company's data. Many would also cite the ISO/IEC 27000 series as a means of communication. When properly applied, their control frameworks work as standards for technical, administrative and physical controls. 

When we think about control frameworks, it's often convenient to only see them as security practices, and that's it. However, the ISO/IEC 27000 series can help any company better accomplish its goals. What follows is an in-depth explanation of control frameworks that should further help you understand why they are so important in the context of the CISSP exam. 

For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

What types of controls are covered on the CISSP?

A Certified Information Systems Security Professional (CISSP) keeps a company's digital infrastructure safe. It's an elite certification and governed by ISC2. The CISSP is the most requested cybersecurity certification in U.S. job listings, according to CyberSeek, with an average salary of $175,583 for information security managers. 

Security control categories by purpose 

Preventative 

This type of access control provides the initial layer of control frameworks. Preventative access controls are the first line of defense. They may be any of the following: 

• Security Policies 
• Security Cameras 
• Callback 
• Security Awareness Training 
• Job Rotation 
• Encryption 
• Data Classification 
• Smart Cards 

As you can see, there is a wide array of preventative controls. It's important to appreciate that ISO 27001 controls and other standards published by the International Organization for Standardization don't just rely on digital means for protection. 

Deterrent 

These are access controls that are deployed to discourage violations of an organization's security policies. This access control picks up where the last one left off. Instead of simply trying to stop a violation from taking place, it initiates consequences once one has occurred (or an attempt was detected). Examples of deterrents include: 

• Security Personnel 
• Guards 
• Security Cameras 
• Separation of Duties 
• Intrusion Alarms 
• Awareness Training 
• Firewalls 
• Encryption 

The list goes on and on, but you can use any number of these control frameworks at your organization. One of the missions of the ISO/IEC 27000 series is to ensure you know how to create the best possible version for your company. 

Detective 

Next, we have detective access controls. These are relied on to discover unauthorized activities. Generally, these don't work inside of control frameworks in real time. They are deployed after the activities mentioned above have occurred. Some examples of this type of access control are: 

• Logs 
• Security Cameras 
• Intrusion Detection Systems 
• Honey Pots 
• Audit Trails 
• Mandatory Vacations 

Corrective 

This access control is entrusted with restoring systems to their original form after an unauthorized event has occurred. Usually, corrective access controls have very limited potential to respond when these violations happen. Some examples would include: 

• Alarms 
• Antivirus Solutions 
• Intrusion Detection Systems 
• Business Continuity Plans 

Recovery 

This access control repairs resources, capabilities and functions after a security violation happens. Compared to corrective access controls, this version is more advanced and complex. Oftentimes, they don't just repair the damage done; they also stop it from occurring again. Some examples of this are: 

• Backups 
• Server Clustering 
• Fault Tolerant Drive Systems 
• Database Shadowing 
• Antivirus Software 

Compensation 

To assist the other access controls within your control framework, compensation access controls provide different options to help enforce your organization's security policy. These might be: 

• Security Policy 
• Monitoring 
• Personnel Supervision 
• Work Task Procedures 

To help better understand compensation access controls, let's look at an example. If budget cuts make it difficult to hire multiple security guards, you can just hire one and outfit them with enough cameras to monitor what is happening in your building. 

Directive Access Controls 

Directive access controls can be deployed to encourage adherence to your company's security policy. They can accomplish this through directing, confining or controlling the actions of staff and others. The following would all be considered versions of directive access controls: 

• Exit Signs 
• Guard Dogs 
• Security Guards 
• Posted Notifications 
• Supervision 
• Awareness Training 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Security control categories by implementation 

Administrative Access Controls 

Companies use these policies and procedures to enforce their overall control frameworks. They focus on two different areas: personnel and business practices. Common examples of these are: 

• Background Checks 
• Security Training 
• Data Classifications 
• Hiring Practices 
• Reviews 
• Testing 
• Supervision 

Logical Access Controls 

This can either be hardware or software that manages access to systems and resources. They also work as protection for those two important types of assets. Examples include: 

• Protocols 
• Firewalls 
• Constrained Interfaces 
• Passwords 
• Smart Cards 
• Access Control Lists (ACLs) 

Physical Access Controls 

Finally, we have the physical access controls used in control frameworks. These physical barriers prevent direct contact with sensitive areas of a facility or the systems themselves. They would be things like: 

• Motion Detectors 
• Fences 
• Guards 
• Locked Doors 
• Lights 
• Sealed Windows 
• Swipe Cards 

Qualitative vs. quantitative 

Regarding your organization's risk assessment, you can take either a qualitative or quantitative approach. The concept is sometimes referred to as "Q vs. Q." Simply put, when doing a risk assessment, you may discover a problem, the effects of which can be measured. This would be a quantitative risk. A common version would be if your system was down for 24 hours. As you can count the number of hours you will be without your system, it's quantitative. 

On the other hand, if you can't quantify your problem's variables, it would be a qualitative risk assessment. This is what occurs when, for example, you're looking at the potential fallout from a decision you need to make. 

These concepts are covered in Domain 1 (Security and Risk Management) under risk analysis, assessment and scope. For more details, see the updated CISSP exam outline. 

What risk frameworks are covered on the CISSP? 

The CISSP exam covers several key security control frameworks that organizations use to build comprehensive security programs: 

• International Organization for Standardization (ISO): The ISO/IEC 27000 series provides detailed specifications for information security management systems. Organizations worldwide use these standards to structure their security programs, define security policies and implement controls. The series includes specific guidance for risk assessment, security controls, incident management and business continuity. 
• National Institute of Standards and Technology (NIST): NIST frameworks provide granular security guidance through special publications like NIST SP 800-53 and the Cybersecurity Framework. These resources offer detailed control catalogs, implementation guides and assessment methods that help organizations protect critical infrastructure and sensitive data. NIST guidelines are mandatory for federal agencies but serve as industry best practices. 
• Control Objectives for Information and Related Technology (COBIT): COBIT bridges the gap between technical IT controls and business requirements. This framework helps organizations develop, implement, monitor and improve IT governance practices. It provides tools for measuring performance, optimizing risk levels and managing resources while ensuring IT aligns with business goals. 
• Sherwood Applied Business Security Architecture (SABSA): SABSA takes a layered approach to security architecture, from business requirements through physical implementation. This framework helps organizations develop security services that directly support business objectives, using a matrix that addresses six layers: contextual, conceptual, logical, physical, component and operational. 
• Payment Card Industry (PCI): The PCI Data Security Standard (DSS) provides a comprehensive framework specifically for protecting payment card data. It includes detailed requirements across six major objectives, from building secure networks to maintaining security policies. While focused on payment data, many organizations adopt these controls more broadly due to their practical, proven approach. 
• Federal Risk and Authorization Management Program (FedRAMP): This standardized approach to security assessment, authorization and continuous monitoring focuses on cloud services used by federal agencies. FedRAMP provides detailed security control baselines at different impact levels, ensuring cloud solutions meet federal security requirements while promoting consistent evaluation across agencies. 

Understanding these frameworks helps organizations select and implement appropriate controls based on their specific needs and compliance requirements. 

The 6 steps of the risk management framework 

You can use these concrete steps to leverage ISO 27002 controls toward keeping your organization secure: 

• Step 1: Categorize – This entails determining the criticality and sensitivity of the information being stored, processed or transmitted through an information system. To do this, you would assign each type of information a security impact value — low, moderate or high — in terms of integrity, confidentiality and availability. 
• Step 2: Select – Control frameworks need security controls, but you must select them first before they can be implemented. This selection should be made only after you've made the aforementioned decisions about your information's security impact values. 
• Step 3: Implement – With your selection made, you can now begin to implement your ISO 27001 controls or those from the ISO/IEC 27000 series if that's the version you're using. It's also vital that you decide how the security controls will be employed within your organization's information system and its domain of operation. 
• Step 4: Assess – Using appropriate procedures, assess your security controls to ensure you have implemented them correctly. Control frameworks may be well planned, but if they are not equally well implemented, they will be of no use. They must also go on to operate correctly and produce the intended outcome in terms of securing your system. Assessments tell you whether or not this is happening. 
• Step 5: Authorize – Once you've determined the risks facing the operations of your organizations and individuals, grant information system operations based on your findings. 
• Step 6: Monitor – Control frameworks must be monitored continuously. This includes documenting changes, analyzing security impacts, reporting to authorities and assessing framework effectiveness. The monitoring process should support continuous improvement through risk maturity modeling. 

Clearly, there is a lot of room here to address the unique factors involved with your organization. Nonetheless, these steps should give you enough direction to carry out a successful ISO 27001 risk assessment and manage the results accordingly. 

Do I need to know any other frameworks? 

Whether or not you should know other control frameworks is a decision only you can make. You'll have to look at your organization and/or what you want from your job prospects. 

Still, let's take a quick look at some of the most popular options and what they have to offer: 

• OCTAVE: Operationally Critical Threat, Assets and Vulnerability Evaluation was developed at Carnegie Mellon University's CERT Coordination Center. This suite of tools, methods and techniques provides two alternative models to the original. That one was developed for organizations with at least 300 workers. OCTAVE-S is aimed at helping companies that don't have much in the way of security and risk-management resources. OCTAVE-Allegro was created with a more streamlined approach. 
• FAIR: Factor Analysis of Information Risk was developed to understand, analyze and measure information risk. It also has the support of the former CISO of Nationwide Mutual Insurance, Jack Jones. This framework has received a lot of attention because it allows organizations to carry out risk assessments of any asset or object, all with a unified language. Your IT people, those on the IRM team and your business line staff will all be able to work with one another while using a consistent language. 
• TARA: The Threat Agent Risk Assessment was created back in 2010 by Intel. It allows companies to manage their risk by considering a large number of potential information security attacks and then distilling them down to the likeliest threats. A predictive framework will then list these threats in terms of priority. 
• ITIL: Information Technology Infrastructure Library provides best practices in IT Service Management (ITSM). It was created with five different "Service Management Practices" to assist you in managing your IT assets with an eye on preventing unauthorized practices and events. 

Again, whether or not you should learn these control frameworks to help your organization is up to you and will depend on the needs of your company and the resources available. One factor that can sometimes be difficult to consider is the level of risk you find acceptable. Obviously, we'd all like to keep our vulnerabilities to a minimum, especially where our company's digital infrastructures are concerned. 

However, it's unrealistic to think you'll never have to take on some risk. Instead, you must look at these risks, look at your resources and then decide how much you'll simply have to be comfortable with (at least at the moment). Although the other frameworks may help you protect your organization, they may not be an option right now. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Securing your organization with control frameworks 

Control frameworks are essential for protecting your organization's digital assets. Whether you're preparing for the CISSP exam or building a security program, understanding these frameworks helps you make informed decisions about risk management, access controls and security governance. 

Ready to advance your cybersecurity career? Infosec offers comprehensive CISSP preparation resources: 

• Start with our free CISSP exam tips ebook 
• Check out our CISSP Boot Camp 
• Download the cybersecurity salary guide 
• Visit our CISSP training hub for additional resources