1

Enterprise Security Architecture & IT Governance

Enterprise Security Architecture (ESA) is a framework for defining the baseline, goals, and methods used to secure the organisation against risk. It sits within IT Service Management (ITSM) — the broader discipline of choosing, deploying, and operating the right technologies for the organisation's benefit.

Framework-based governance seeks to mitigate risks associated with IT service delivery. A good ESA framework provides: lists of policies and procedures, activity checklists, technology recommendations, and an externally verifiable statement of regulatory compliance.

ITIL
IT Infrastructure Library — focuses on aligning IT services with business needs. The most widely adopted IT service management framework globally. Strong career value for management and executive roles.
COBIT
Control Objectives for Information and Related Technologies — focuses on IT governance and management. Widely used in audit and compliance contexts.
TOGAF
The Open Group Architecture Framework — an enterprise architecture methodology for designing, planning, implementing, and governing enterprise IT architecture.
ISO 20000
International standard for IT service management. Provides requirements for establishing, implementing, and maintaining a service management system (SMS).
Exam note: You don't need to memorise the details of each IT governance framework for the exam. Know that these frameworks exist to provide structure for IT governance and regulatory compliance. The specific frameworks tested on the exam are the industry-specific ones in Section 5 and the NIST CSF in Section 4.
2

Prescriptive vs. Risk-Based Frameworks

Prescriptive Framework — mandatory, checklist-driven
Stipulates which specific controls must be selected and deployed. The organisation does what the framework says — mandatory, not discretionary. Usually driven by regulatory compliance (HIPAA, PCI DSS). Good for: proving compliance, passing audits. Risk: organisations implement controls to satisfy the checklist rather than to address real risk. Can create alert fatigue if a SIEM is deployed "because the framework says so" without addressing an actual risk.
Risk-Based Framework — flexible, priority-driven
Uses risk assessment to prioritise control selection and investment. The organisation decides which controls to implement based on the actual risks they face. More flexible — allows organisations to develop their own approach. Better for organisations not subject to heavy regulation. NIST CSF is the primary example. Risk: less rigour for regulated industries where specific controls are legally required.
In practice: Regulatory requirements (HIPAA, PCI DSS, SOX) force a prescriptive approach for covered areas. Everything else can and should be handled risk-based. Most organisations use both: prescriptive where the law requires it, risk-based everywhere else. The NIST CSF is designed to complement regulatory requirements, not replace them.
3

Maturity Models — Five Tiers

A maturity model assesses how formalised and optimised an organisation's security controls are. It answers: where are we now? Where do we want to be? What do we need to do to get there? Most maturity models use a 5-tier structure moving from reactive (fighting fires) to fully proactive (preventing fires).

L1
Initial (Reactive)
Highly reactive posture. No defined processes. Each incident is handled ad hoc. Constantly firefighting without any time to plan ahead.
L2
Managed (Risk-Aware)
Prepares to mitigate through risk assessments. Starting to understand what risks exist and beginning to plan responses, but processes are not yet formalised across the organisation.
L3
Defined (Documented)
Defined policies and procedures exist for most scenarios. Still reactive in places — the procedures don't cover every situation and some incidents still catch the organisation off-guard.
L4
Quantitative Management (Measured)
Management oversight of all known risks. Risk register is maintained. Known risks have assigned mitigations. Some surprises still occur — the organisation is mostly in control but not yet fully proactive.
L5
Optimising (Fully Proactive)
Fully risk-driven proactive approach. Organisation anticipates threats and addresses them before they materialise. Continuous improvement built into all processes. The highest and most expensive level to maintain.
Level 5 isn't always the goal: The cost of achieving and maintaining Level 5 is significant. Most organisations aim for Level 3 or 4 — enough to manage risk to within their risk appetite without spending disproportionately on security controls. The right level depends on the organisation's risk appetite, not an abstract standard of perfection.
4

NIST Cybersecurity Framework — Core, Tiers & Profiles

The NIST Cybersecurity Framework (CSF) is a risk-based framework focused on IT security. Unlike prescriptive frameworks, it doesn't mandate specific controls — it provides a structure for organisations to identify, manage, and communicate their cybersecurity risk. It has three components: the Framework Core, Implementation Tiers, and Framework Profiles.

NIST CSF — Five Core Functions (framework core)
Identify
Asset mgmt, governance, risk assessment, supply chain
Protect
Access control, training, data security, maintenance
Detect
Anomaly detection, continuous monitoring, processes
Respond
Response planning, comms, analysis, mitigation
Recover
Recovery planning, improvements, communications
Framework Core
The 5 functions (Identify → Recover), each divided into categories and subcategories. A library of controls to choose from.
Implementation Tiers
How integrated the core functions are into the org's risk management: Partial → Risk-Informed → Repeatable → Adaptive
Framework Profiles
Current state vs. target state. Identifies the gap between where you are and where you want to be — drives investment prioritisation.
Exam priority: Know the five NIST CSF functions in order: Identify → Protect → Detect → Respond → Recover. Know that the framework has three components (Core, Tiers, Profiles). Know it's a risk-based (not prescriptive) framework. The implementation tier progression: Partial → Risk-Informed → Repeatable → Adaptive.
5

Industry Frameworks — PCI DSS, CIS, OWASP, ISO 27001, OSS TMM

Beyond governance frameworks, there are industry-specific frameworks targeted at particular domains (payment card security, web application security, information security management, etc.). These are the ones most likely to appear in day-to-day work as a cybersecurity analyst.

PCI DSS
Payment Card Industry Data Security Standard
Mandatory for all orgs that process, store, or transmit payment card data. Created by major credit card companies. Enforced by contractual requirement, not law. Violations mean fines and loss of card processing ability.
6 control objectives ↓
1. Build/maintain secure network
2. Protect cardholder data
3. Vulnerability management program
4. Strong access controls
5. Monitor and test networks
6. Maintain info security policy
CIS
Center for Internet Security Controls
Non-profit providing 20 prioritised security controls in three categories: Basic (first line of defence — inventory, IR plan), Foundational (device config, patching), Organisational (training, risk assessments). Developed by experts across government, healthcare, and finance.
20 controls → 3 categories: Basic / Foundational / Organisational
OWASP
Open Web Application Security Project
Non-profit focused on web application security. Publishes the OWASP Top 10 — the 10 most critical web app security risks, updated every 3 years (2017, 2021, 2024). Includes: injection attacks, broken auth, XSS, broken access control, security misconfiguration, sensitive data exposure, etc.
Top 10 web app risks — updated every 3 years
ISO 27001
Information Security Management System Standard
Part of the ISO 27000 family. Specifies requirements for an ISMS (Information Security Management System). Three areas: policies/procedures/responsibilities + organisational structure + controls (technical: encryption/firewalls; organisational: access control/incident management). Requires extensive documentation for audit evidence.
ISMS framework — technical + organisational controls
OSS TMM
Open Source Software Testing Methodology Manual
Framework for evaluating and improving open source software testing processes. Five levels matching the maturity model: Initial → Managed → Defined → Quantitatively Managed → Optimising. Helps orgs identify security vulnerabilities in the open source libraries they depend on.
5-level maturity model for open source security testing
Exam scope: Know the name, purpose, and key association for each framework. PCI DSS = credit card data. CIS = 20 controls in 3 categories. OWASP = Top 10 web app risks. ISO 27001 = ISMS. OSS TMM = open source software testing. You don't need to memorise the full detail of any framework.
6

Audits, Assessments & Evaluations — QC, QA, V&V

These terms are often used interchangeably in casual conversation but have distinct meanings in cybersecurity and compliance contexts. The key differentiator is how rigorous and standardised the process is.

TermDefinitionKey characteristicExample
Quality Control (QC) Determining whether a system is free from defects at the time of production/deployment. Real-time action during creation Checking code for bugs during software build
Quality Assurance (QA) The overarching program that defines what quality means and how it is measured and checked. QC is a component of QA. Process around QC The testing program that encompasses QC activities
Verification Compliance testing to ensure a system meets its design goals or regulatory requirements. ("Are we building the product right?") Digital equivalent of QC — does it do what it's supposed to? Code review confirms the security module behaves as designed
Validation Determining whether the system is fit for purpose after installation — is it configured correctly and doing what it needs to do? ("Are we building the right product?") Post-deployment check — is it working as intended? IDS is installed and actually detecting the threat types it was purchased for
Assessment Testing against a checklist of requirements in a structured way — measured against an absolute standard that is tailored to the organisation. Structured checklist — more tailored, still methodical A certified pre-owned car's 83-point inspection checklist
Evaluation Less methodical process using expert judgment to examine outcomes or usefulness. More comparative and opinion-based than an assessment. Expert opinion — more fluid A mechanic looks over a car and says "looks good to me"
Audit The most rigorous process — comparing the organisation against a predefined, external standard. Required in regulated industries. Identifies areas requiring remediation. Rigid external standard — everyone must meet the same bar PCI DSS Qualified Security Assessor (QSA) audit — quarterly or annual
Exam mnemonic: Audit (most rigid, external standard) > Assessment (structured checklist, tailored to org) > Evaluation (expert judgment, opinion-based). Verification = "did we build it right?" (design goals). Validation = "does it work as intended?" (fit for purpose). QC = action; QA = program around QC.
7

Scheduled Reviews & Continual Improvement

Scheduled reviews are regular (quarterly or annual) structured examinations of the organisation's security posture — similar to lessons learned but occurring on a fixed schedule rather than being triggered by incidents.

What a scheduled review covers

Previous incidents
Review major incidents from the review period — what happened, how were they handled, what was the outcome?
Threat intelligence trends
How has the threat landscape changed since the last review? Are new adversaries targeting your industry or technology stack?
Control changes
What security controls were added or removed? Did they increase or decrease risk posture? Are new systems in scope?
Compliance progress
Are we on track with framework adoption and regulatory requirements? What compliance gaps remain from the last review?

Continual improvement

Continual improvement is the process of making small incremental gains to products and services by identifying defects and inefficiencies for further refinement. Big goals are broken into small, repeatable changes — each one moves the organisation closer to the target state.

Six Sigma
Data-driven methodology for reducing defects. Uses DMAIC: Define, Measure, Analyse, Improve, Control. Originated in manufacturing, widely adopted in IT.
Deming Cycle (PDCA)
Plan → Do → Check → Act. The foundational continual improvement cycle used in quality management, IT service management, and information security.
ITIL 7-Step Improvement
Identify strategy → define what to measure → gather data → process data → analyse → present → implement. Specific to IT service improvement within the ITIL framework.
Exam note: You don't need to know specific continual improvement methodologies for the CySA+ exam. Know that continual improvement exists, that it uses small incremental changes rather than big-bang transformations, and that all methods follow the same general pattern: define goals → measure baseline → analyse → improve → monitor → measure again.
8

Continuous Monitoring & CDM

Continuous monitoring is the technique of constantly evaluating an environment for changes so that new risks can be quickly detected and business operations can be improved. It transforms organisations from reactive postures (discovering breaches weeks later) to proactive postures (detecting anomalies in real time).

Benefits of continuous monitoring

Situational awareness
Always know what systems are in use, what's having issues, and what actions need to be taken. No more waiting for the annual assessment to discover problems.
Routine audits
Pull logs and generate audit evidence at any time — not just when an auditor arrives. Compliance evidence is always available.
Real-time analysis
Alerts fire when anomalies happen — not when the analyst gets around to reviewing last month's logs. Minimises the dwell time of undetected threats.
Proactive posture
Detect and respond before damage is done, rather than doing forensics after a breach has already occurred and caused harm.
Metrics quality matters: Setting up a SIEM isn't the same as continuous monitoring if nobody is watching it. Collecting data just to collect data is not monitoring — it's log storage. Define actionable metrics that represent real risk to the organisation. Volume of alerts doesn't equal security value; quality and relevance of alerts does.

CDM — Continuous Diagnostics and Mitigation (US Federal)

Required for US government agencies. CDM provides tools and capabilities to identify cybersecurity risks on an ongoing basis, prioritise them by potential impact, and enable personnel to mitigate the most significant problems first. Organised as a dashboard with four tiers of questions:

What is on our network?
Asset Management
Hardware and software inventory. You can't secure what you don't know you have. Foundation of the CDM programme.
Who is on our network?
Identity & Access Management
User identities, privileges, and access rights. Ensures only authorised personnel can access specific systems.
What is happening on our network?
Network Security Management
Traffic flows, network events, anomalous communications. Real-time visibility into network behaviour.
How is our data protected?
Data Protection Management
Data classification, encryption, access controls on sensitive information. Ensures data is protected throughout its lifecycle.

Exam

Quick Reference Cheat Sheet

Governance frameworks
ESA = Enterprise Security Architecture — the overarching framework for securing the organisation. IT governance frameworks: ITIL (service management), COBIT (IT governance), TOGAF (architecture), ISO 20000 (ITSM standard). Don't need full details for exam — just know they exist and their general purpose.
Prescriptive vs. risk-based
Prescriptive = mandatory, checklist-driven, control selection specified, regulatory compliance driven (HIPAA, PCI DSS). Risk-based = flexible, organisation selects controls based on actual risk (NIST CSF). Real world: prescriptive where law requires, risk-based everywhere else.
Maturity model (5 tiers)
L1 Initial (reactive, firefighting). L2 Managed (risk assessments starting). L3 Defined (policies + procedures documented). L4 Quantitative (risk register, management oversight). L5 Optimising (fully proactive, risk-driven). Goal: not always L5 — cost must justify the level.
NIST CSF
Risk-based framework. 3 components: Core (5 functions), Tiers (Partial→Risk-Informed→Repeatable→Adaptive), Profiles (current vs. target state). 5 functions: Identify → Protect → Detect → Respond → Recover. Each function has categories and subcategories as control choices.
Industry frameworks
PCI DSS = credit cards, 6 objectives, contractual (not law), QSA audit. CIS = 20 controls, Basic/Foundational/Organisational categories. OWASP = Top 10 web app risks, updated every 3 years. ISO 27001 = ISMS, technical + organisational controls. OSS TMM = open source software testing, 5-level maturity.
Audit vs. Assessment vs. Evaluation
Audit = most rigid, external standard, everyone meets the same bar, regulated industries (QSA audit). Assessment = structured checklist, tailored to the org's context. Evaluation = expert judgment, opinion-based, less methodical. Rigidity order: Audit > Assessment > Evaluation.
QC / QA / V&V
QC = real-time check during creation (is this free from defects?). QA = the overarching program (QC is a component). Verification = "did we build it right?" (design goals met). Validation = "does it work as intended?" (fit for purpose, post-deployment). V&V = verification + validation together.
Scheduled reviews & continual improvement
Scheduled reviews = quarterly/annual structured review of posture, incidents, threats, control changes, compliance progress. Continual improvement = small incremental changes that add up to big change. Methods: Six Sigma (DMAIC), Deming/PDCA, ITIL 7-Step. Exam: know it exists, not specific methods.
Continuous monitoring & CDM
Continuous monitoring ≠ weekly/monthly checks. Always-on evaluation for changes. Benefits: situational awareness, routine audits, real-time analysis, proactive posture. CDM (US Gov): Asset Management (what?) → IAM (who?) → Network Security Mgmt (what's happening?) → Data Protection (how protected?). Metrics must be actionable — data ≠ monitoring.