Module 45: Information Security Concepts, Frameworks & Standards

Security principles guide protection.
Frameworks guide structure.
Standards guide implementation.

CRISC evaluates whether you understand how security governance frameworks reduce risk exposure.

This section focuses on structural alignment — not tool knowledge.

What the exam is really testing

When frameworks and standards appear, CRISC is asking:

• Is security aligned with business objectives?
• Is governance structured?
• Are controls selected systematically?
• Is maturity improving?
• Are frameworks integrated?
• Are gaps identified and addressed?

Frameworks reduce inconsistency and blind spots.

Core information security concepts

CIA triad

Confidentiality
Integrity
Availability

Every control ultimately supports one or more of these.

CRISC often tests which objective is most impacted.

Defense in depth

Multiple layered controls reduce:

• Single point of failure
• Control bypass risk
• Residual risk concentration

No single control is sufficient.

Least privilege

Users receive only the access necessary to perform duties.

Reduces:

• Insider threat risk
• Lateral movement
• Accidental misuse

Segregation of duties (SoD)

Critical functions are divided to prevent abuse.

Reduces:

• Fraud risk
• Error risk
• Conflict of interest exposure

Risk-based security

Security controls must align with:

• Risk appetite
• Risk tolerance
• Business impact
• Cost-benefit balance

CRISC frequently tests over-control and under-control scenarios.

Frameworks vs standards (critical distinction)

Framework:
High-level structure for managing security and governance.

Standard:
Specific requirements or detailed control expectations.

Framework = blueprint
Standard = detailed building instructions

CRISC may test confusion between the two.

Common framework types (conceptual awareness)

You are not tested on memorization — but on purpose.

Security Governance Frameworks:
Provide structure. Align to enterprise governance. Support maturity measurement.

Risk Management Frameworks:
Identify and assess risk. Support risk-based control selection.

Cybersecurity Frameworks:
Organize control categories. Improve resilience.

Compliance Standards:
Define minimum requirements. Support regulatory alignment.

Key idea:

Frameworks organize.
Standards specify.

Control objectives vs control activities

Control Objective:
What you are trying to achieve.

Control Activity:
How you achieve it.

Example:

Objective: Protect sensitive data.
Activity: Encrypt data at rest.

CRISC tests whether you focus on objectives over tools.

Maturity & capability

Security maturity models assess:

• Governance structure
• Process repeatability
• Control consistency
• Monitoring discipline
• Continuous improvement

Higher maturity generally reduces residual risk.

But maturity must align with risk appetite and business needs.

Example scenario

An organization adopts a security framework but does not integrate it into governance processes.

What is the PRIMARY weakness?

A. Strong maturity
B. Framework adoption without operational integration
C. Reduced inherent risk
D. Improved KPI

Correct answer:

B. Framework adoption without operational integration

Frameworks must be embedded, not symbolic.

Slightly harder scenario

A company implements extensive encryption controls across all systems regardless of risk level.

What principle may be violated?

A. Defense in depth
B. Risk-based proportionality
C. Segregation of duties
D. Availability

Correct answer:

B. Risk-based proportionality

Controls must align with risk, not applied universally without analysis.

Security policies vs standards vs procedures

Policy:
High-level management direction.

Standard:
Mandatory requirement supporting policy.

Procedure:
Step-by-step instructions.

CRISC may test confusion between these.

Policy = “What and why”
Standard = “What must be met”
Procedure = “How to execute”

Governance integration

Security frameworks must:

• Align to enterprise governance
• Support risk management
• Enable monitoring
• Inform reporting
• Integrate with audit
• Support escalation

Security must support business strategy.

The most common exam mistakes

Candidates often:

• Memorize framework names instead of purpose.
• Choose most secure option regardless of risk alignment.
• Confuse standards and frameworks.
• Ignore cost-benefit balance.
• Focus on technical detail instead of governance alignment.
• Assume maturity equals zero risk.

CRISC evaluates proportional governance thinking.

Slightly uncomfortable scenario

An organization maintains documented policies and standards but does not monitor compliance or enforce violations.

What governance principle is MOST compromised?

A. Defense in depth
B. Enforcement and oversight discipline
C. Availability
D. Risk identification

Correct answer:

B. Enforcement and oversight discipline

Documentation without enforcement does not reduce risk.

Quick knowledge check

1) The primary purpose of a security framework is to:

A. Configure firewalls
B. Provide structured governance and control alignment
C. Eliminate risk
D. Replace risk management

2) Applying the same security control to all systems regardless of risk most directly violates:

A. Confidentiality
B. Risk-based proportionality
C. Availability
D. Integrity

3) A policy primarily defines:

A. How to configure encryption
B. Specific technical requirements
C. High-level management direction
D. Testing frequency

Final takeaway

Information Security Principles require:

• CIA alignment
• Layered defense
• Least privilege
• Segregation of duties
• Risk-based proportionality
• Governance integration
• Framework structure
• Standards alignment
• Enforcement discipline
• Continuous maturity improvement

Frameworks do not reduce risk on their own.

Governed implementation does.

CRISC rewards structural understanding — not memorization of framework names.