Question 11
UnclassifiedAn organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework. Which of the following is the FIRST step to this change?
Correct answer: D
Explanation
A framework switch starts with a control crosswalk, because you must identify where the two sets of controls overlap and where they differ. Mapping ISO/IEC 27002 to NIST 800-53 lets the organization "detect gaps and commonalities" before redesigning policies, procedures, and controls.
Why each option is right or wrong
A. Discard all work done and start implementing NIST 800-53 from scratch.
B. Recommend no change, since the scope of ISO/IEC 27002 is broader.
C. Recommend no change, since NIST 800-53 is a US-scoped control framework.
D. Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.
The first action in a framework migration is a control crosswalk: ISO/IEC 27002 is a guidance/control catalog, while NIST SP 800-53 is a separate control baseline, so the organization must compare the two sets of controls before changing anything. NIST SP 800-53 Rev. 5 is organized into 20 control families and ISO/IEC 27002:2022 into 4 themes/93 controls, so mapping them is the only way to identify overlaps, missing controls, and control equivalencies before redesigning the security program.