CPA Exam Lab
All patterns
Security and system resilience

The Security Foundation

Anchor to the fundamentals: the CIA triad names the goal, and the framework question is COBIT versus NIST CSF versus ISO 27001.

How the exam words it

The playbook

  1. 1Map the goal to the CIA triad: confidentiality is preventing unauthorized disclosure, integrity is preventing unauthorized change, and availability is keeping systems accessible.
  2. 2Apply the principles: least privilege grants the minimum access needed, and defense in depth layers multiple independent controls so one failure is not fatal.
  3. 3Recall the five NIST CSF functions in order: identify, protect, detect, respond, and recover.
  4. 4Pick ISO 27001 for a certifiable ISMS and NIST CSF for a voluntary risk-based framework, keeping COBIT as the IT governance model.

The trap

Mixing up integrity and confidentiality, or the NIST CSF function order. Integrity protects against unauthorized change; confidentiality protects against unauthorized disclosure.

How the exam varies it

The same pattern, re-skinned along these axes:

Which CIA element a control protectsSecurity principle: least privilege versus defense in depthFramework identification: NIST CSF functions versus ISO 27001 ISMS

Drill this pattern

8 questions of The Security Foundation from across the AUD topics. Clear it by getting 5 right with a streak of 3.

Shows up in 1 ISC topic