Effective CISSP Questions

A life cycle is a collection of predefined stages/phases and processes. The conventional term, SDLC, may refer to the development life cycle of a system or software. Which of the following is not true?
A. An SDLC can be repeated as many times as a project requires.
B. The NIST SDLC is more prescriptive than software-based SDLC.
C. A short iteration as a sprint entails delivering values when an SDLC ends.
D. The acquisition is not a concern of SDLC because development is not procurement.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. The acquisition is not a concern of SDLC because development is not procurement.

Evolution of SE standards

Life Cycle

A life cycle means from cradle to grave. It is typically divided into a couple of stages or phases, each of which comprises constituent processes in terms of a system. ISO 15288 divides a system life cycle into stages and categorizes processes into process groups.

ISO 15288 - System Life Cycle Processes

Life Cycle

  • A life cycle is “consecutive and interlinked stages of a product system, from raw material acquisition or generation from natural resources to final disposal.” (ISO 14044:2006)
  • A life cycle is “evolution of a system, product, service, project or other human-made entity from conception through retirement.” (ISO/IEC 15288:2008)

System Life Cycle

A system is a collection of elements that work together to achieve a common objective or purpose. A system is “developed” to come into being. It’s uncommon to develop the whole system or all the constituent elements on one’s own nowadays. As a result, system development typically entails the work of construction and procurement.

The system life cycle is a “period that begins when a system is conceived and ends when the system is no longer available for use.” (ISO/IEC/IEEE 24765:2017)

System and Software SDLC

The phases and processes of a life cycle vary in engineering approaches. Some are prescriptive or normative, others are suggestive or discretionary. The NIST SDLC is more prescriptive than software-based SDLC because the software SDLC is more diversified while NIST guidelines apply to the US departments and agents.


Ubiquitous Security across SDLC

Security should be ubiquitous and considered across the system development life cycle. The following diagram demonstrates how NIST addresses security concerns across the NIST SDLC defined in SP 800-64 R2 (superseded by SP 800-160 V1).


Iterations of SDLC

Traditional projects that execute one and only one iteration SDLC are called waterfall or plan-driven projects.

Iterative approaches repeat the phases and processes of the SDLC in a project during a period of time or iteration. An iteration may deliver work-in-progress or usable products when it comes to the end.

If an iteration delivers usable or workable products that can be put into production, it creates value or increment. In Scrum, an iteration is called a “sprint,” and the outcomes of a sprint is workable and deliverable. The sum of value produced by each sprint is called “increment.”




My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

生命週期是預定義階段和過程的集合。 常見的術語SDLC可以指系統或軟件的開發生命週期。 以下哪一項是不正確的?
A. SDLC可以根據專案需要重複多次。
B.  NIST SDLC比基於軟件的SDLC更具規範性。
C. 作為衝刺的短迭代必須在SDLC結束時交付價值。
D. 收購不是SDLC的應考慮事項,因為開發不是採購。

Leave a Reply