CISSP Practice question #87

When we apply standards and framework we can use tailoring to do what?
A: To implement the full standard or framework, but implement different standards in some areas.
B: To pick and chose which parts of the standard or framework we want to implement.
C: Find out how much the implementation will cost us.
D: To see if the standard is a good fit for our organization.

CBK 2: Asset Security
Source: practice tests


A: Tailoring is customizing a standard to your organization. This could be we will apply this standard, but we use a stronger encryption (AES 256bit).

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

You may also like


  1. Even though I disagree with A but it’s the correct answer as cissp exams wants us too look more than once in the answers it seems B is the correct answer but in A it states that full standard or framewotk to be implemented the BUT makes the difference still you’ll implement standards but different ones so it’s tailored ones

    1. A implies that we choose to implement the standards but, at least in a corporate environment, we may have to tailor those standards to our equipment/software as certain implementations cannot meet those standards and cost/time/etc would be prohibitive. This is a pretty standard policy implementation.

      B implies that we pick and choose based upon other constraints which may or may not be arbitrary.

  2. Not sure why the ans is A
    What does tailoring means …
    We bring clothes to a tailor and the tailor does cut the clothes based on the person’s height, waist size and others .. The tailor cut from available resources to adjust based on the need ..he never brings new cloth.
    Likewise here we have available resources like standards and we can adjust as per what we need and others we can remove from list .
    Thor Pedersen please explain why it’s A ! It should be B

  3. Aren’t standards considered to be mandatory? In which case when implementing them, we can’t “pick and choose” and subsequently say we met the standard. Since different areas have different requirements which other standards may satisfy, my gut reaction is to go with answer A.

    1. No Zeeshan Satti, a standard is a generally agreed upon principal or rule to which we point as a best practice – merely an aspiritional goal. Whether a standard is, or is not, mandated is a determination made by a policy. In other words, standards are not mandatory in and of themselves, however, they might be made mandatory by policy.

Leave a Reply