Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. To streamline the order fulfillment process, the system will be integrated with the ones of key business partners. The development team is evaluating solutions to exchange messages, e.g. XML or JSON, between systems in this supply chain integration initiative. Which of the following layer of the ISO OSI reference model is most related to the evaluation?
A. Application
B. Message Exchange (MX)
C. Presentation
D. Transport

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Application.

This question is designed with a defect. It’s much better to replace the example “XML or JSON” with “SOAP or JWT” because a message exchange solution will not stop at just selecting XML or JSON. The process will consider more business requirements.

Technically, It’s common to classified XML or JSON in Presentation Layer.


Source: Fahad Hussain Free Computer Education

This question is asking about message exchange solutions. There are many factors to consider when designing a message exchange solution; message format, semantics, and integrity are some of them.

ISO OSI (Open Systems Interconnection) – Basic Reference Model is defined in ISO 7498-1. According to ISO 7498-1,  the Presentation Layer relieves application-entities of any concern with the problem of “common” representation of information.


The main purpose of XML (Extensible Markup Language) or JSON is to format messages, impose meaning or semantics on data, and may or may not enforce integrity. However, you can’t use it without defining any tag or identifier. The Presentation layer deals with the representation or format of data, not the meaning or semantics. 

Typically, the Presentation layer addresses encoding, encryption, and compression issues. ASCII, JPEG, and GZIP are good examples. XML or JSON itself can’t encode anything.

If XML or JSON is selected to represent messages, you can’t just use it directly like ASCII or UTF8. The character ‘1’ is encoded as 0x31 in ASCII . That is the ASCII rule determined beforehand, but how do you encode ‘1’ in XML or JSON?

If Application A needs to send 1 piece of Order Quantity to Application B, the message format in XML would be any of the following:

  • <order quantity=”1″ />
  • <order><quantity=”1″/></order>
  • <orders><order><quantity=”1″/></order></orders>

Defining the format (tags, attributes, and so forth) of messages in XML (abstract syntax) is an application concern, because XML itself encodes or formats nothing.

“Common” Representation of Information

Messages format in XML varies as mentioned above; it cannot deliver a predefined “common” representation of information like ASCII, JPEG, or GZIP. Transforming XML messages between different XML schemes (e.g. between the three order quantity examples above) is a concern of the Presentation Layer. The transformed XML message as the “common” representation used for transportation is the Transfer syntax. The “common” format of XML is agreed or defined by an XML schema that can be realized through XSD (XML Schema Definition).


  • XML or JSON itself can’t encode or format anything.
  • You can’t use XML or JSON without defining any tag or identifier.
  • The application of XML or JSON imposes semantics on data.
  • As a result, XML or JSON based messages are not defined or formated in the Presentation Layer. (However, they may or may not be transformed into another type of messages in the Presentation Layer. )


CISSP All-in-One Exam Guide

The presentation layer is not concerned with the meaning of data, but with the syntax and format of that data.

Harris, Shon. CISSP All-in-One Exam Guide, Seventh Edition (p. 485). McGraw-Hill Education.

ISO 7498-1

Key Points

  • This relieves application-entities of any concern with the problem of “common” representation of information, i.e. it provides them with syntax independence.
  • The Presentation Layer is informed of the abstract syntaxes that are to be employed.
  • Presentation-entities have no role in determining the set of abstract syntaxes to be used by the application-entities.


  • Abstract syntax: the specification of Application-protocol-data-units by using notation rules which are independent of the encoding technique used to represent them.
  • Concrete syntax: those aspects of the rules used in the formal specification of data which embody a specific representation of that data.
  • Transfer syntax: the abstract and concrete syntax used in the transfer of data between open systems.


Leave a Reply