Effective CISSP Questions

Your company decides to subscribe to SaaS from a well-known cloud service provider. As a security professional, you are tasked to prepare for a security plan. Which of the following should you do first?
A. Determine data types processed by the SaaS cloud services.
B. Categorize the system based on its impact level
C. Scope and tailor security controls
D. Identify stakeholders

Wentz’s Book, The Effective CISSP: Security and Risk Management

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Identify stakeholders.


According to the NIST RMF, system categorization based on the system impact level determined by data types is the first step, but identifying stakeholders first is more practical as stakeholders and their needs and requirements drive everything. It determines which types of data are processed on the cloud.

  • Government departments and agencies can lookup data types specified in the NIST SP 800-60. However, the predefined data types in NIST SP 800-60 may not be applicable to private companies.
  • Moreover, what services are provided by the SaaS? ERP, CRM, email, or document repository services? Are there any applicable legal or regulatory requirements? Identifying stakeholders helps in determining data types.

I designed this question based on a real case from a friend, also a CISSP. He is in charge of the security plan for the SaaS project.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Leave a Reply