Question

Using the Internet, go to the International Information Systems Security Certifications Consortium (ISC) Web site (www.isc2.org) and look for the InfoSec common body of knowledge (CBK). When you review the list of 10 areas in the CBK, is policy listed? Why do you think this is so?

Answer 1

No, policy is not listed explicitly as a separate domain in the ISC2 Common Body of Knowledge (CBK). While it does not have a dedicated domain in the CBK, it is considered a crucial component of information security.

• The reason why policy is not listed explicitly as a separate domain in the ISC2 CBK is likely due to the fact that it is a cross-cutting concept that is relevant to all of the other domains.

Policy is about communicating security requirements, training employees, and creating a culture of security within an organization.

Therefore, the ISC2 CBK is a comprehensive framework that covers ten key domains of information security such as: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security.