Isaca NIST-COBIT-2019 Exam Questions Instant Access

Question 1

Which of the following COBIT and NIST implementation steps may be reversed depending on the culture of the organization?

AStep 4: Conduct a Risk Assessment and Step 6: Determine, Analyze, and Prioritize Gaps

BStep 3: Create a Current Profile and Step 5: Create a Target Profile

CStep 1: Prioritize and Scope and Step 2: Orient

Answer : C

According to the ISACA guide, the order of these two steps may be reversed depending on the culture of the organization and the level of stakeholder engagement1. Some organizations may prefer to start with a broad orientation of the NIST CSF and COBIT 2019 before scoping and prioritizing the implementation, while others may want to define the scope and priorities first and then orient the stakeholders accordingly.

Reference Implementing the NIST Cybersecurity Framework Using COBIT 2019, page 17.

Question 2

Which of the following is an objective of COBIT Implementation Phase 3 - Where Do We Want to Be?

ADetermine the current capability of selected processes.

BIdentify critical processes or other components addressed in the improvement plan.

CCreate a detailed business case and high-level program plan.

Answer : C

The objective of COBIT Implementation Phase 3 is to set an improvement target and identify gaps and potential solutions using COBIT's guidance. This involves creating a detailed business case and a high-level program plan for the implementation.

Reference COBIT 2019 Design and Implementation COBIT Implementation, page 31. 7 Phases in COBIT Implementation | COBIT Certification - Simplilearn

Question 3

Which of the following is the MOST beneficial result of an effective CSF implementation plan?

ACybersecurity risk management practices are formalized and institutionalized.

BKey stakeholders understand the quick wins of the cybersecurity program.

CKey stakeholders understand the cybersecurity requirements of the chosen vendors.

Answer : A

The most beneficial result of an effective CSF implementation plan is that cybersecurity risk management practices are formalized and institutionalized, which means that the organization has established and maintained a consistent and comprehensive approach to managing cybersecurity risks across its systems, processes, and people. This result can help the organization to reduce the likelihood and impact of cybersecurity events, improve its resilience and compliance, and enhance its reputation and trust12.

Reference Public Draft: The NIST Cybersecurity Framework 2, page 1. Cybersecurity Framework | NIST

Question 4

Which of the following is an objective of Implementation Phase 3 - Where Do We Want to Be?

AIntegrate the improvement projects into the overall program plan.

BMonitor, measure, and report on project progress.

CCreate a detailed business case and high-level program plan from gathered information.

Answer : C

This is an objective of Implementation Phase 3: Where Do We Want to Be?, because it involves defining the desired state of the enterprise's governance and management system, based on the stakeholder needs, drivers, and scope12. This objective also includes developing a business case that provides the rationale and justification for the improvement program, and a high-level program plan that outlines the scope, objectives, approach, and resources of the program3 .

Question 5

What is the MOST important reason to compare framework profiles?

ATo improve security posture

BTo conduct a risk assessment

CTo identify gaps

Answer : C

The most important reason to compare framework profiles is to identify gaps between the current and target state of cybersecurity activities and outcomes, and to prioritize the actions needed to address them12. Framework profiles are the alignment of the functions, categories, and subcategories of the NIST Cybersecurity Framework with the business requirements, risk tolerance, and resources of the organization3. By comparing the current profile (what is being achieved) and the target profile (what is needed), an organization can assess its cybersecurity posture and develop a roadmap for improvement4.

Question 6

Which of the following should an organization review to gain a better understanding of the likelihood and impact of cybersecurity events?

ARelevant internal or external capability benchmarks

BCybersecurity frameworks, standards, and guidelines

CCyber threat information from internal and external sources

Answer : C

According to the NIST Cybersecurity Framework, an organization should review cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events. This information can help the organization to identify potential threats, vulnerabilities, and consequences, and to assess the current and target profiles of its cybersecurity posture12.

Reference Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, page 19. COBIT VS NIST : A Comprehensive Analysis - ITSM Docs

Question 7

Which of the following is an objective of COBIT Implementation Phase 3-Where Do We Want to Be?

AIdentify critical processes or other components addressed in the improvement plan.

BDetermine the target capability for processes within governance and management

Cobjectives.

DIntegrate the metrics for project performance and benefits realization.

Answer : B

This is an objective of COBIT Implementation Phase 3: Where Do We Want to Be?, because it involves defining the desired state of the enterprise's governance and management system, based on the stakeholder needs, drivers, and scope12. This objective also includes using the COBIT Performance Management system to assess the current and target capability levels of the processes that support the governance and management objectives34.

Isaca Implementing the NIST Cybersecurity Framework using COBIT 2019 NIST-COBIT-2019 Exam Questions