top of page
71OMr0D4FrL._SL1500_.jpg
119159849_10158061653118813_5314694876572739015_n.jpg
71eSH5cSYiL._SL1377_.jpg
final.png

CISSP Study Plan – Day 29 of 55 | Understanding the Risk Management Framework (RMF)

Updated: Oct 5


"It's been 5 years since I wrote that book, so good to see it in your hands. The ultimate measure of its success will be the completion of your CISSP."– Luke Ahmed

Today is Day 29 of Yihenew’s CISSP study plan, focusing on the Risk Management Framework (RMF) — one of the most structured approaches to managing system risk and ensuring security decisions are traceable, measurable, and justifiable.


Key Areas Covered:

  • Purpose of RMF — to integrate security and risk management activities into the system development lifecycle.

  • NIST SP 800-37 — defines the RMF for federal systems, but the process applies to all organizations that value structured governance.

  • Six Steps of RMF:

    1. Categorize — determine system impact (low, moderate, high).

    2. Select — choose security controls based on impact level (from NIST SP 800-53).

    3. Implement — put the selected controls in place.

    4. Assess — evaluate whether controls are implemented correctly and effectively.

    5. Authorize — management formally accepts system risk (the “go live” decision).

    6. Monitor — continuously track control performance and respond to changes.

  • Roles — Authorizing Official (AO), Information System Owner (ISO), Security Control Assessor (SCA).


  • CISSP Exam Tie-In — focus on sequence and accountability. The exam often asks who approves risk or when monitoring occurs in the cycle.


In this CISSP study plan session, Yihenew explored how RMF connects technical controls to management responsibility — showing that risk decisions are never one-time events but part of a continuous cycle.


Quick CISSP Practice Question

In the RMF, which role is responsible for formally accepting system risk and granting authorization to operate (ATO)?


A. Information System Owner (ISO)

B. Authorizing Official (AO)

C. Security Control Assessor (SCA)

D. System Administrator


Correct Answer: B. Authorizing Official (AO)

Explanation:

  • The Authorizing Official makes the final call to accept or reject residual risk and authorize operation.

  • The ISO owns and manages the system, while the SCA evaluates controls and provides recommendations.

  • CISSP questions test your grasp of risk accountability, not control mechanics.


Think Like a Manager: The RMF isn’t about paperwork — it’s about who owns the decision to live with risk. CISSP will always reward the answer that reflects accountability at the management level, not technical execution.


Check out Yani's TikTok or see Day 28 or Day 30.


👉 Can you take the Yani Challenge?


55 days of consistent CISSP prep, tackling one domain at a time, using only the resources below:


Course

Luke's CISSP Course (2 months access, $89.98)

One-to-one Zoom sessions with Luke Ahmed (2 weeks before exam)


Books, Notes, and Practice Questions

Sybex 10th Edition (Around $52.55)



Total Cost: approxiamately $250 depending on your geographic location. Yani is located in East Africa.


📚 Study Plan (55 Days of Dedication):

- Weekdays: 2–3 hours of focused study—late nights and early mornings (5 AM).

- Weekends: 5–6 hours of deep study sessions.


Pass CISSP in first attempt within 100 questions.


Yani's biggest expense was his time, committment, consistency, and dedication! It was worth it because he passed first attempt in 100 questions using the above resources only.


If Yihenew could do it, so can you.


All the best Future CISSP. You can feel free to contact me anytime as well.


Thank you.

Luke Ahmed


 
 
  • Youtube
  • Instagram
  • Linkedin
  • Facebook
  • TikTok
bottom of page