Certificate of Cloud Auditing Knowledge (CCAK) — Question 166

Which of the following processes should be performed FIRST to properly implement the NIST SP 800-53 r4 control framework in an organization?

Answer options

• A. A comprehensive tailoring of the controls of the framework
• B. A security categorization of the information systems
• C. A selection of the security objectives the organization wants to improve
• D. A comprehensive business impact analysis (BIA)

Correct answer: B

Explanation

The correct answer is B, as performing a security categorization of the information systems is essential for understanding their impact on the organization and determining the appropriate security controls. The other options, while important, should occur after the initial categorization to ensure that the controls are relevant to the specific needs of the organization.