CAS-004 Governance, Risk, and Compliance
Governance, Risk, and Compliance
Detailed list of CAS-004 knowledge points
Frequently Asked Questions
In an enterprise environment operating across multiple regulatory regions, which factor should primarily determine whether an organization adopts ISO/IEC 27001 instead of the NIST Cybersecurity Framework?
Regulatory alignment and certification requirements should be the primary factor when selecting ISO/IEC 27001 over NIST CSF.
ISO/IEC 27001 is a certifiable international standard designed for organizations that must demonstrate formal compliance with a recognized information security management system (ISMS). It is commonly adopted by organizations operating globally where certification and third-party assurance are required by regulators, customers, or partners. In contrast, the NIST Cybersecurity Framework is guidance-based and widely used within U.S. organizations, particularly federal agencies and critical infrastructure sectors. When regulatory environments demand verifiable certification or internationally recognized governance controls, ISO/IEC 27001 becomes the more appropriate choice.
Demand Score: 72
Exam Relevance Score: 81
When conducting enterprise risk management, under what condition is risk transfer more appropriate than risk mitigation?
Risk transfer is appropriate when the cost or operational impact of mitigating the risk internally exceeds the acceptable cost of transferring the risk to a third party.
Organizations often evaluate risk treatment options using cost–benefit analysis. If implementing technical or administrative controls to mitigate a risk requires excessive resources, complexity, or operational disruption, transferring the risk may be preferable. This is commonly done through cyber insurance, outsourcing services, or contractual liability agreements. Risk transfer does not eliminate the risk but shifts financial responsibility to another party. Security architects must ensure that contractual controls and service-level agreements clearly define responsibility, monitoring requirements, and accountability.
Demand Score: 67
Exam Relevance Score: 77
Why might an organization integrate multiple governance frameworks instead of adopting only one security framework?
Organizations integrate multiple governance frameworks to address different regulatory requirements, operational environments, and security maturity levels.
No single framework typically satisfies every compliance or governance requirement. Large enterprises frequently operate across sectors such as finance, healthcare, and government, each with unique regulatory obligations. For example, an organization might adopt ISO/IEC 27001 for international ISMS governance while mapping operational controls to the NIST Cybersecurity Framework or NIST SP 800-53. Combining frameworks allows organizations to leverage strengths from each model while ensuring regulatory alignment across jurisdictions. Security architects must maintain a control mapping matrix to prevent duplication and ensure consistent risk management practices.
Demand Score: 64
Exam Relevance Score: 76
During risk analysis, why would a security architect recommend accepting a risk rather than mitigating it?
Risk should be accepted when the likelihood and impact of the risk fall within the organization’s defined risk tolerance and mitigation would provide minimal additional benefit.
Risk acceptance is a formal decision made when the cost or operational burden of implementing controls outweighs the potential damage the risk could cause. Security architects document the decision using risk registers and obtain approval from executive stakeholders or governance committees. Acceptance decisions should include monitoring strategies to ensure the risk environment does not change. If threat likelihood or asset value increases, the risk treatment decision must be reassessed.
Demand Score: 61
Exam Relevance Score: 74
