CompTIA Security+ (SY0-601) — Question 27

A security analyst wants to reference a standard to develop a risk management program. Which of the following is the BEST source for the analyst to use?

Answer options

• A. SSAE SOC 2
• B. ISO 31000
• C. NIST CSF
• D. GDPR

Correct answer: B

Explanation

ISO 31000 is specifically designed for risk management, providing principles and guidelines that are applicable across various sectors. While SSAE SOC 2 and NIST CSF offer valuable insights into security and compliance, they do not focus solely on risk management like ISO 31000 does. GDPR, on the other hand, is a regulation focused on data protection and privacy, rather than a risk management standard.