M-209 cipher machine.

Standards and Regulations

ISO Standards

Too many numbers! These are all the ISO documents I have found within the test-relevant parts of the (ISC)2 material. I'll mark in yellow those that will appear the most, and in grey those that are unlikely to need you to recognize by number (but know the concept!), no color for medium likelihood.

U.S. Government requirements and documents

FISMA says U.S. Government agencies must come up with security plans, NIST docs say how.

FedRAMP is about U.S. Government use of cloud technology.

FIPS 140-2 specifies approved cryptography, software and hardware.

NIST special publications. Again, yellow is more likely to appear, uncolored is medium likelihood:

SP 800-37 RMF = Risk Management Framework, how to apply 800-53 controls, with a 6-step process CSIAAM:
  1. Categorize risks
  2. Select tools
  3. Implement
  4. Assess effectiveness
  5. authorization by management
  6. Monitor
SP 800-39 RMF = Risk Management Framework overview, how to manage risk
SP 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations"
It's a catalog of security controls, applied to all U.S. federal government information and IT systems.
SP 800-64 Application security (through SDLC or Software Design Life Cycle)
SP 800-82 Guide to ICS (Industrial Control Systems)
SP 800-145 Defines "cloud" and associated terms.
SP 800-160 Security for IoT and ICS

Seen in some training / review material, unlikely to be on test (because there aren't yet cloud service providers with data centers in Iran or Syria or DPRK):

SOC (formerly SAS 70, now SSAE) = auditing reports

Type 1
Auditor's opinion on accuracy and completeness of management's description of the system, plus suitability of the system's design.
Type 2
Type 1 plus an audit of the effectiveness of those controls over a declared period, usually 6 or 12 months.
Report for financial auditors and investors.
Report for IT staff, regulators, and business partners.
A pass/fail summary of SOC 2, brochure-type content for current or potential customers.

Intended recipients of SOC 2 should have sufficient knowledge to use the details, address any of the five Trust Services:

SSAE = Statement on Standards for Attestation Engagements. It's an auditing standard for service organizations. It was SSAE 16, since May 2017 it's SSAE 18.

Common Criteria

More on

CC = Common Criteria, EAL1 (just functionally tested) up to EAL7 (formally verified design and tested). Most commercial offerings are EAL4. Trusted Solaris was EAL4+. The Integrity-178B real-time operating system used in some U.S. military aircraft has been certified as EAL6+. So far, that's the highest ever achieved.

National and International Laws for P&DP or Privacy and Data Protection

Industry Regulations


There's far more detail but the above should be enough. Simplified version of merchant levels and auditing, enough to know if this less likely question topic appears:

Highly Regulated Industries

They have their own specialized compliance regulations. For example, NERC or North American Electric Reliability Corporation.

CSA Cloud Security Alliance

STAR — Security, Trust, and Assurance Registry

CCM — Cloud Controls Matrix

CAIQ — Consensus Assessments Initiative Questionnaire — self-assessment done by cloud providers

Not on the exam, but...

I am personally very skeptical of the CSA material. Definitely memorize the above for the exam. But in the real world, I think that Texas Health and Human Services has really done this right.
Contracting with HHS HHS Information Security Controls

ENISA — European Network and Information Security Agency

"Cloud Computing: Benefits, Risks, and Recommendations for Information Security" lists top eight security risks, it oddly doesn't mention availability. Less likely to appear.

GAPP — Generally Accepted Privacy Principles

AICPA (American Institute of Certified Public Accountants) standard for privacy, it describes 74 (!) principles.

CSA Enterprise Architecture:

These are some other quasi-official lists you might need to know.