Certified Administrative Professional (CAP) Practice Exam 2025 - Free CAP Practice Questions and Study Guide

The appropriate time to review security controls, according to NIST guidelines, is after a significant change. This aligns with the principles of risk management and continuous monitoring frameworks recommended by NIST. Significant changes could include alterations in organizational structure, changes in technology, system upgrades, or updates in security policies. Each of these changes can introduce new vulnerabilities or modify existing risks, necessitating a thorough review of the security controls to ensure they remain effective and aligned with the new state of the organization.

While reviewing security controls after a security breach is important for diagnosing what went wrong and improving defenses, it is not an appropriate proactive measure. Regular bi-annual reviews might seem practical, yet NIST emphasizes that reviews should be event-driven rather than strictly timed. Reviews solely during audits can lead to complacency, as security is considered an ongoing process requiring vigilance rather than a periodic task. Therefore, the most strategic approach is to reassess security controls in response to significant changes in the environment or operations.