Effective CISSP Questions

Which of the following is least suitable for being measured by a maturity model?
A. Enterprise risk management
B. Organizational procurement
C. Organizational service delivery
D. Security capabilities of an information system

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Security capabilities of an information system.

  • There are many risk maturity models used to evaluate an organization’s capabilities of risk management, e.g, the RIMS RMM.
  • CMMI is a well-known capability maturity model that integrates multiples models to assess the capabilities of engineering, procurement, and service delivery and to provide different maturity levels.
  • The security capabilities of an information system are assessed for assurance. TCSEC, ITSEC, or Common Criteria are well-known assurance systems that render assurance levels instead of maturity levels.


Capability is the ability to do something or a feature or function. In the context of security, it may refer to “a set of mutually reinforcing security controls implemented by technical, physical, and procedural means. Such controls are typically selected to achieve a common information security-related purpose.” (NISTIR 8011 Vol. 1)

Maturity Model

A maturity model is a “set of structured levels that describe how well the behaviors, practices, and processes of an organization can reliably and sustainably produce required outcomes.” (ISO/TR 14639-2:2014)

Capability Maturity Model

A capability maturity model is a “model that contains the essential elements of effective processes for one or more disciplines and describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness.” (ISO/IEC/IEEE 24765:2017)

Capability Maturity Model Integration (CMMI)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

The Effective CISSP - SRM

The Effective CISSP: Practice Questions

The Effective CISSP: Practice Questions

A. 企業風險管理
B. 組織採購
C. 組織服務的提供
D. 信息系統的安全能力


Leave a Reply