CPA Exam Lab
Section 2: 35–45%I6

Information Security Programs and Frameworks

Exam Insight

ISC is built on the idea that controls exist to protect information, and the AICPA expects you to reason from foundational principles like the CIA triad and defense in depth. Frameworks such as NIST CSF and ISO 27001 give you the vocabulary that nearly every other security question on the exam assumes you already know.

CPA Exam Lab is an independent study resource and is not affiliated with, endorsed by, or sponsored by the AICPA® or NASBA. Practice questions are original content created for study purposes. “CPA” is a registered trademark of the AICPA.

What AICPA Wants You to Know

  • 1Define the three components of the CIA triad and identify which one a given control protects.
  • 2Explain defense in depth and why layering controls is more effective than any single control.
  • 3List and order the five functions of the NIST Cybersecurity Framework.
  • 4Distinguish ISO 27001 (a certifiable management system standard) from a control framework.
  • 5Apply the principle of least privilege and explain its role in a security program.
  • 6Describe how security governance, policies, and risk assessment fit together.