NIST RMF, ISO 27001, and CIS Controls
Survey the most widely adopted security frameworks and understand how they complement each other to build a comprehensive information security management system.
Why Frameworks Matter
Security frameworks are structured sets of guidelines, best practices, and controls that help organizations build and maintain effective security programs. Rather than starting from scratch, frameworks provide a proven methodology that can be tailored to organizational size, industry, and risk profile. The Security+ exam focuses on three widely adopted frameworks: NIST RMF, ISO 27001, and the CIS Controls — each approaching security from a different angle.
NIST Risk Management Framework (RMF)
The NIST Risk Management Framework (NIST SP 800-37) is a six-step lifecycle for managing security and privacy risk in federal information systems, though it is widely adopted in the private sector too. The six steps are: Categorize (system and data sensitivity), Select (appropriate controls from SP 800-53), Implement (deploy controls), Assess (test effectiveness), Authorize (ATO decision by authorizing official), and Monitor (continuous monitoring). The RMF emphasizes ongoing authorization rather than point-in-time certifications.
# NIST RMF 6 Steps (SP 800-37 Rev. 2)
1. CATEGORIZE - Classify system impact (Low/Mod/High)
2. SELECT - Choose controls from SP 800-53
3. IMPLEMENT - Deploy and document controls
4. ASSESS - Test control effectiveness (CA-2)
5. AUTHORIZE - ATO signed by Authorizing Official
6. MONITOR - Continuous monitoring (ISCM)All lessons in this course
- Risk Identification and Risk Register
- Qualitative vs Quantitative Risk Analysis
- Risk Treatment: Accept, Transfer, Mitigate, Avoid
- NIST RMF, ISO 27001, and CIS Controls