Questions for the NIST COBIT 2019 were updated on : Dec 01 ,2025
Combining CSF principles with COBIT 2019 practices helps to ensure value, manage risk, and support
mission drivers through support and direction of:
B
Explanation:
Combining CSF principles with COBIT 2019 practices helps to ensure value, manage risk, and support
mission drivers through support and direction of the board of directors and executive management,
as they are responsible for setting the vision, strategy, and objectives of the organization, and for
overseeing the governance and management of IT-related operations12
.
Reference
Connecting COBIT 2019 to the NIST Cybersecurity Framework - ISACA
COBIT 2019 (With Principles, Components, Users and Benefits)
The PRIMARY function of COBIT Implementation Phase 7: How Do We Keep the Momentum Going is
to provide an opportunity for which of the
following?
A
Explanation:
The primary function of COBIT Implementation Phase 7 is to provide an opportunity for closing the
loop for communication workflow, which means to ensure that the results and feedback of the
implementation are reported and communicated to the relevant stakeholders, and that the lessons
learned and best practices are captured and shared for future reference12
.
Reference
7 Phases in COBIT Implementation | COBIT Certification - Simplilearn
COBIT 2019 Design and Implementation COBIT Implementation
, page 31.
During CSF life cycle action plan review, which of the following tasks is associated with realizing
benefits?
B
Explanation:
According to the ISACA guide, monitoring performance against objectives is one of the tasks
associated with realizing benefits, as it helps to measure the outcomes and value of the CSF
implementation, and to identify and address any issues or gaps that may arise1
.
This task also
involves reporting and communicating the results and feedback to the relevant stakeholders and
ensuring continuous improvement2
.
Reference
Connecting COBIT 2019 to the NIST Cybersecurity Framework - ISACA
Manage Enterprise Cyberrisk by Applying the NIST CSF With COBIT … - ISACA
Which of the following is the PRIMARY reason for establishing open communication between all
participants and stakeholders as part of the implementation phase?
B
Explanation:
The primary reason for establishing open communication between all participants and stakeholders
as part of the implementation phase is to ensure issues can be identified and resolved, as this can
facilitate the collaboration, coordination, and feedback among the involved parties, and help to
overcome the challenges and risks that may arise during the implementation12
.
Reference
Connecting COBIT 2019 to the NIST Cybersecurity Framework - ISACA
Questions and Answers | NIST
Which of the following is the MOST beneficial result of an effective CSF implementation plan?
A
Explanation:
The most beneficial result of an effective CSF implementation plan is that cybersecurity risk
management practices are formalized and institutionalized, which means that the organization has
established and maintained a consistent and comprehensive approach to managing cybersecurity
risks across its systems, processes, and people.
This result can help the organization to reduce the
likelihood and impact of cybersecurity events, improve its resilience and compliance, and enhance its
reputation and trust12
.
Reference
Public Draft: The NIST Cybersecurity Framework 2
, page 1.
Cybersecurity Framework | NIST
Which function of the CSF is addressed by incorporating governance, risk, and compliance (GRC)
elements into the implementation plan?
C
Explanation:
The function of the CSF that is addressed by incorporating governance, risk, and compliance (GRC)
elements into the implementation plan is Identify, which assists in developing an organizational
understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities.
GRC
elements help to define the governance program, the legal and regulatory requirements, the risk
management strategy, and the supply chain risk management strategy of the organization12
.
Reference
The Five Functions | NIST
NIST Cybersecurity Framework 2.0: Understanding the "Govern" Function
Which of the following is MOST likely to cause an organization's NIST Cybersecurity Framework (CSF)
implementation to fail?
B
Explanation:
One of the most likely causes of an organization’s NIST CSF implementation failure is that the
potential benefits of proposed improvements are not considered, which means that the organization
does not conduct a cost-benefit analysis of the solutions to address the gaps between the current
and target profiles.
This can result in a lack of justification, prioritization, and alignment of the
implementation plan with the organization’s mission drivers, risk appetite, and resource
constraints12
.
Reference
7 Steps to Implement & Improve Cybersecurity with NIST
3 Security Issues Overlooked By the NIST Framework
Which of the following is CRITICAL for the success of CSF Step 6: Determine, Analyze and Prioritize
Gaps?
C
Explanation:
A clear understanding of the likelihood and impact of cybersecurity events is critical for the success
of CSF Step 6, as it helps to prioritize the gaps and actions based on the risk assessment and the cost-
benefit analysis of the proposed solutions12
.
Reference
7 Steps to Implement & Improve Cybersecurity with NIST
NIST CSF: The seven-step cybersecurity framework process
Which of the following is one of the objectives of CSF Step 6: Determine, Analyze and Prioritize
Gaps?
A
Explanation:
One of the objectives of CSF Step 6 is to translate improvement opportunities into justifiable,
contributing projects, which means to develop an action plan that addresses the gaps between the
current and target profiles, and that aligns with the organization’s mission drivers, risk appetite, and
resource constraints12
.
Reference
Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide
, page 8.
NIST CSF: The seven-step cybersecurity framework process
Which COBIT implementation phase directs the development of an action plan based on the
outcomes described in the Target Profile?
B
Explanation:
The COBIT implementation phase that directs the development of an action plan based on the
outcomes described in the Target Profile is Phase 5 - How Do We Get There?
This phase involves
defining the detailed steps, resources, roles, and responsibilities for executing the implementation
plan and achieving the desired outcomes12
.
Reference
7 Phases in COBIT Implementation | COBIT Certification - Simplilearn
COBIT 2019 Design and Implementation COBIT Implementation
, page 31.
Which of the following should be a PRIMARY consideration when creating an action plan to address
gaps identified in CSF Step 6: Determine, Analyze,
and Prioritize Gaps?
A
Explanation:
According to the NIST Cybersecurity Framework, mission drivers are a primary consideration when
creating an action plan to address gaps identified in CSF Step 6, as they help to align the
cybersecurity program with the organization’s objectives, priorities, and risk appetite.
Mission
drivers also help to determine the resources needed and the cost-benefit analysis of the proposed
solutions12
.
Reference
7 Steps to Implement & Improve Cybersecurity with NIST
Cybersecurity Framework v1.1 - CSF Tools - Identity Digital
, page 7.
An organization is concerned that there will be resistance in attempts to close gaps between the
current and target profiles. Which of the following is the
BEST approach to gain support for the process?
C
Explanation:
Identifying quick wins for implementation first is the best approach to gain support for the process,
as it can demonstrate the value and feasibility of the project, and motivate the stakeholders to
overcome the resistance and embrace the change12
.
Quick wins are those actions that can be
implemented rapidly and easily, and that can produce visible and measurable results3
.
Reference
7 Phases in COBIT Implementation | COBIT Certification - Simplilearn
Implementing the NIST Cybersecurity Framework Using COBIT 2019
, page 17.
What is a Quick Win? - Definition from Techopedia
When aligning to the NIST Cybersecurity Framework, what should occur after tier levels and
framework core outcomes are determined?
C
Explanation:
According to the NIST Cybersecurity Framework, after determining the tier levels and framework
core outcomes, the next step is to compare the current and target profiles, which describe the
organization’s current and desired cybersecurity posture based on the framework core functions,
categories, and subcategories1
.
This comparison helps to identify the gaps and prioritize the actions
for improvement2
.
Reference
Cybersecurity Framework Components | NIST
What is the NIST Cybersecurity Framework? | IBM
How should gaps identified between the current and target profiles be addressed?
C
Explanation:
According to the NIST Cybersecurity Framework, gaps identified between the current and target
profiles should be addressed through a risk-based approach, which enables an organization to gauge
the resources needed and prioritize the mitigation of gaps in a cost-effective manner.
This approach
also aligns the cybersecurity program with the business objectives and risk appetite of the
organization12
.
Reference
Examples of Framework Profiles | NIST
What is the NIST Cybersecurity Framework? | IBM
Which of the following is MOST important for successful execution of CSF implementation Step 6 -
Determine, Analyze, and Prioritize Gaps?
C
Explanation:
According to the ISACA guide, engaging business and IT process owners for internal expertise is most
important for successful execution of CSF implementation Step 6, as they can provide valuable
insights into the current and desired states of the processes, the gaps and potential solutions, and
the costs and benefits of the implementation1
. They can also help to align the cybersecurity program
with the business objectives and risk appetite of the organization.
Reference
Implementing the NIST Cybersecurity Framework Using COBIT 2019
, page 17.