NIST-COBIT-2019 Isaca ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Free Practice Exam Questions (2025 Updated)

The objective of COBIT Implementation Phase 3 is to set an improvement target and identify gaps and potential solutions using COBIT’s guidance. This involves creating a detailed business case and a high-level program plan for the implementation.

ReferencesCOBIT 2019 Design and Implementation COBIT Implementation, page 31.7 Phases in COBIT Implementation | COBIT Certification - Simplilearn

The objective of COBIT Implementation Phase 2 is to define the scope of the implementation using COBIT’s mapping of enterprise goals to IT-related goals and the associated IT processes, and to consider how risk scenarios could also highlight key processes on which to focus. This phase also involves documenting the current capability and performance of the selected processes and identifying opportunities for improvement12.

References7 Phases in COBIT Implementation | COBIT Certification - SimplilearnCOBIT 2019 Design and Implementation COBIT Implementation, page 31.

This is an objective of Implementation Phase 3: Where Do We Want to Be?, because it involves defining the desired state of the enterprise’s governance and management system, based on the stakeholder needs, drivers, and scope12. This objective also includes developing a business case that provides the rationale and justification for the improvement program, and a high-level program plan that outlines the scope, objectives, approach, and resources of the program3 .

References: 1: COBIT 2019 Implementation Guide 2: COBIT 2019 Implementation - ISACA 3: Business Case Development - ISACA : How to Write a Business Case for Cybersecurity Projects | Infosec

Analysis is one of the six categories within the Detect function of the NIST Cybersecurity Framework. The Analysis category aims to identify the occurrence of a cybersecurity event by performing data aggregation, correlation, and analysis12.

References: 1: The Five Functions | NIST 2: Cybersecurity Framework Components | NIST

This CSF step corresponds to the COBIT objective of knowledge and understanding of enterprise goals, because it involves identifying the business drivers, mission, objectives, and risk appetite of the organization, as well as the scope and boundaries of the cybersecurity program12. This step helps to ensure that the cybersecurity activities and outcomes are aligned with the enterprise goals and strategy34.

References: 1: Cybersecurity Framework Components | NIST 2: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 3: COBIT 2019 Design and Implementation COBIT Implementation5 4: COBIT® 2019 Foundation | Skillsoft Global Knowledge6

Executives are the role that will benefit most from a better understanding of the current cybersecurity posture by applying the CSF. This is because executives are responsible for setting the strategic direction, objectives, and priorities for the organization, as well as overseeing the allocation of resources and the management of risks1. By applying the CSF, executives can gain a comprehensive and consistent view of the cybersecurity risks and capabilities of the organization, and align them with the business goals and requirements2. The CSF can also help executives communicate and collaborate with other stakeholders, such as regulators, customers, suppliers, and partners, on cybersecurity issues3.

References: 1: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 2: Cybersecurity Framework | NIST 3: Framework Documents | NIST

The CSF Implementation Tiers distinguish three fundamental dimensions of risk management to help enterprises evaluate their cybersecurity posture, which is the alignment of their cybersecurity activities and outcomes with their business objectives and risk appetite12. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe the degree of rigor, integration, and collaboration of the organization’s cybersecurity risk management practices12.

References: 1: Cybersecurity Framework Components | NIST 2: Cybersecurity Framework FAQs Framework Components | NIST

A CSF Informative Reference within the CSF Core provides a citation to a related activity from another standard or guideline that can help an organization achieve the outcome described in a CSF Subcategory12. For example, the Informative Reference for ID.AM-1 (Physical devices and systems within the organization are inventoried) is COBIT 5 APO01.01, which states "Maintain an inventory of IT assets"3.

References: 1: Informative References: What are they, and how are they used? | NIST 2: Everything to Know About NIST CSF Informative References | Axio 3: NIST Cybersecurity Framework v1.1 - CSF Tools - Identity Digital

According to the COBIT Performance Management Rating Scale, a subcategory maturity level of 95% corresponds to the rating of Fully Achieved, which means that the outcome is achieved above 85%12. This indicates that the enterprise has a high degree of capability and maturity in the subcategory, and that the practices and activities are performed consistently and effectively34.

References: 1: Performance Management of Processes - Testprep Training Tutorials 2: COBIT 2019 and COBIT 5 Comparison - ISACA 3: COBIT 2019 Performance Management: Principles and Processes 4: Effective Capability and Maturity Assessment Using COBIT 2019 - ISACA

According to the NIST Cybersecurity Framework, gaps identified between the current and target profiles should be addressed through a risk-based approach, which enables an organization to gauge the resources needed and prioritize the mitigation of gaps in a cost-effective manner. This approach also aligns the cybersecurity program with the business objectives and risk appetite of the organization12.

ReferencesExamples of Framework Profiles | NISTWhat is the NIST Cybersecurity Framework? | IBM

The seven high-level CSF steps generally align to the high-level phases of the COBIT 2019 implementation guide, which are: What are the drivers?; Where are we now?; Where do we want to be?; What needs to be done?; How do we get there?; Did we get there?; and How do we keep the momentum going?12. These phases provide a structured approach for implementing a governance system using COBIT 2019, and can be mapped to the CSF steps of Prioritize and Scope, Orient, Create a Current Profile, Conduct a Risk Assessment, Create a Target Profile, Determine, Analyze and Prioritize Gaps, and Implement Action Plan34.

References: 1: COBIT 2019 Implementation Guide 2: COBIT 2019 Implementation - ISACA 3: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 4: REVIEW OF IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.

This is an objective of COBIT Implementation Phase 3: Where Do We Want to Be?, because it involves defining the desired state of the enterprise’s governance and management system, based on the stakeholder needs, drivers, and scope12. This objective also includes using the COBIT Performance Management system to assess the current and target capability levels of the processes that support the governance and management objectives34.

References: 1: COBIT 2019 Implementation Guide 2: COBIT 2019 Implementation - ISACA 3: COBIT 2019 Performance Management: Principles and Processes 4: Effective Capability and Maturity Assessment Using COBIT 2019 - ISACA

This represents a best practice for completing CSF Step 3: Create a Current Profile, because it involves collaborating with relevant stakeholders to identify the current cybersecurity outcomes and implementation status of the organization12. Engaging in a dialogue and obtaining input can help to ensure that the Current Profile reflects the business drivers, mission, objectives, and risk appetite of the organization, as well as the scope and boundaries of the cybersecurity program34.

References: 1: Cybersecurity Framework Components | NIST 2: Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide3 3: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 4: NIST CSF: The seven-step cybersecurity framework process5

The implementation status is the information that should be collected for a Current Profile, because it indicates the degree to which the cybersecurity outcomes defined by the CSF Subcategories are currently being achieved by the organization12. The implementation status can be expressed using a four-level scale: Not Performed, Partially Performed, Performed, and Informative References Not Applicable34.

References: 1: Cybersecurity Framework Components | NIST 2: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 3: Framework Documents | NIST 4: REVIEW OF IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.