Certified Chief Information Security Officer (CCISO) — Question 131

Scenario: You are the newly hired Chief Information Security Officer for a company that has not previously had a senior level security practitioner. The company lacks a defined security policy and framework for their Information Security Program. Your new boss, the Chief Financial Officer, has asked you to draft an outline of a security policy and recommend an industry/sector neutral information security control framework for implementation.
Which of the following industry / sector neutral information security control frameworks should you recommend for implementation?

Answer options

• A. Payment Card Industry Digital Security Standard (PCI DSS)
• B. National Institute of Standards and Technology (NIST) Special Publication 800-53
• C. International Organization for Standardization ג€" ISO 27001/2
• D. British Standard 7799 (BS7799)

Correct answer: C

Explanation

The correct choice is C, ISO 27001/2, as it provides a comprehensive framework for establishing, implementing, maintaining, and continually improving an information security management system. The other options, while important in their respective contexts, are either specific to certain industries (like PCI DSS) or are outdated standards (like BS7799), making them less suitable for a neutral security framework.