Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally as a strategic move. You are going to be designated as the program manager for the E-commerce program that is sponsored by the COO and tasks an in-house development team to develop the E-commerce system to support the new business.  Which of the following is most critical to your success?
A. Competent team
B. Communicated Policy
C. Executable strategy
D. Documented program plan

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Communicated Policy.


  • A policy is a documented management intention or directive; it’s a demonstration of management commitment.
  • A policy development process should be undertaken before program implementation.
  • A program policy sets the strategic direction and assigns resources for the implementation of a program.
  • A program charter typically cites a program policy as the authorization source to initiate a program.
  • A program manager may plot a program-level strategy that is aligned with the upstream strategy to guide the progress of the program.
  • A program plan is derived based on the strategy.

(Information Security) Program policies set the strategic direction for security and assign resources for its implementation within the organization. A management official—typically the SISO—issues program policy to establish or restructure the organization’s information security program.

This high-level policy defines the purpose of the program and its scope within the organization, addresses compliance issues, and assigns responsibility to the information security organization for direct program implementation as well as other related responsibilities.

NIST SP 800-12 R1


A strategy is an approach or overall plan that points out the direction and proposes initiatives to achieve long-term goals.

  • A strategy is an “organization’s overall plan of development, describing the effective use of resources in support of the organization in its future activities.”
  • It involves setting objectives and proposing initiatives for action

ISO/IEC/IEEE 24765:2017


Competent means “having the combination of knowledge, formal and informal skills, training, experience, and behavioral attributes required to perform a task or role.” (ISO/IEC/IEEE 24765:2017)


  1. Drug Identification and Testing in the Juvenile Justice System, 1998
  2. Program and policy development
  3. NRC Programme Policy
  4. BIH Program Policy
  5. Information Security Program Policy for the University of Arizona

Leave a Reply