When implementing frameworks like NIST SP 800-53, organisations adapt baseline controls through two distinct phases: scoping and tailoring. The CISSP exam frequently tests whether candidates understand the difference.
Scoping is a binary yes/no decision about whether a control applies to your environment. Tailoring comes after, customising how applicable controls are implemented. No mainframes? Scope out mainframe controls. Need stronger passwords? Tailor the password policy.
Sequence matters. Ask "Does this control apply?" before "How should we implement it?" Scoping eliminates irrelevant controls first, then tailoring adjusts the rest.
Quick Comparison
| Aspect | Scoping | Tailoring |
|---|---|---|
| Decision | Binary (yes/no) | Parameter adjustment |
| Question | Does this apply? | How do we implement? |
| Order | First | Second |
| Example | Removing ICS controls (no ICS exists) | Changing password length to 16 chars |
Exam distractors often confuse scoping with risk prioritisation or documentation. Remember: scoping is purely about environmental applicability.
Test Your Understanding
Challenging CISSP practice questions that expose knowledge gaps before exam day.
View Practice Tests