ISC2 Governance, Risk and Compliance (CGRC) Practice Question

The NIST Cybersecurity Framework's Identify function focuses on understanding the business context, resources that support critical functions, and the related cybersecurity risks. A foundational activity in this function is Asset Management, which requires an up-to-date inventory of hardware, software, data flows, and associated business processes. Without this inventory, the organization cannot effectively recognize what must be protected or how risk should be prioritized, directly undermining the Identify function.

The Protect function concentrates on safeguards such as access control and awareness training; Detect is concerned with discovering cybersecurity events; Respond addresses actions taken during an incident; and Recover involves restoring services after an incident. None of these functions substitute for the baseline understanding of assets that Identify provides.