Effective CISSP Questions

According to the NIST SDLC, which of the following is the first security activity that should be conducted before authorizing an information system to operate?
A. Assess risk to the system
B. Assess business impact
C. Assess system security
D. Review operational readiness

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Assess business impact.


Source: NIST SP 800-64R2


2 thoughts on “CISSP PRACTICE QUESTIONS – 20200411

  1. Hi Wentz
    Thank you for your selflessly sharing knowledge. The answer makes me a little confused…
    “authorizing an information system” = SDLC Phase 3 (4.authorizing the information system) ?

    It should be Phase 3 (3. Assess System Security) before “authorizing the information system” ?

    • There are many activities that should be done before authorizing an information system, but the question is asking about the “first,” not the one right before authorization. Pls don’t hesitate to let me know when in doubt. Thanks for your comment.

Leave a Reply