# Control Frameworks (ISO/IEC 27001, NIST, COBIT) Backlink: [[Domain 1 - Index]] **Definition:** Structured sets of practices and controls to design, implement, and govern security programs. ## Key Facts - ISO/IEC 27001: ISMS with risk-based controls (Annex A references 27002). - NIST CSF: five functions—Identify, Protect, Detect, Respond, Recover. - NIST 800-53: comprehensive control catalog. - COBIT: governance/management of enterprise IT, value delivery. - Map frameworks to needs; can combine; ISO certification possible. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Choose appropriate framework for context - Distinguish governance focus (COBIT) vs. control catalog (800-53) >[!note] **Mnemonic** - “ISO = ISMS; CSF = 5 functions; COBIT = governance.” ### Example Q: Need exec-friendly risk view and roadmap. Choose? A: NIST CSF profile. ## Revision Checklist - [ ] Name purposes of 27001/CSF/COBIT/800-53 - [ ] When to certify vs. adopt - [ ] Explain tailoring and profiles - [ ] Map to regulatory drivers ## Related [[Security Governance]] · [[Security Program Management (PDCA)]] · [[Security Control Types]] · [[Compliance Frameworks and Audits (SOX, PCI DSS, SOC Reports)]] · [[Security Metrics, KPIs, and KRIs]] #cisSP #domain-1 #concept