As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following is the best source to inform the scoping decision?
A. The assessment of risk to the system
B. The result of business impact analysis (BIA)
C. The design of the security architecture
D. The detailed plan for certification and accreditation

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. The assessment of risk to the system.

Security controls are part of risk treatment, which comes after risk assessment. The scope of security controls is determined based on the result of the risk assessment. Business impact analysis (BIA) doesn’t assess risk according to NIST SDLC and ISO 22301. However, the BIA introduced in the official study guide (OSG) does include the risk assessment.

  • Business impact analysis (BIA) identifies critical processes and resources to support the delivery of products and services defined in the scope of the business continuity program. Constraints and objectives such as Maximum Tolerable Downtime (MTD), Recovery Point Objective (RPO), Recovery Time Objective (RTO), etc., are determined in BIA.
  • Assessing risk to the system comes after the BIA, then comes the risk treatment, which selects a set of security controls, allocated and engineered to the security architecture design as a solution. The detailed plan for certification and accreditation directs the C&A process so that the system can be assessed and authorized to operate.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

作為客戶關係管理(CRM)系統所有者(system owner),您與資料所有者(data owner)和其他利害關係人(stakeholder)協作以確定安全控制的範圍(scope)。 下列哪項是提供範圍制定決策的最佳訊息來源?
A. 系統的風險評鑑結果
B. 業務影響分析(BIA)的結果
C. 安全架構的設計
D. 認證和認可(C&A)的詳細計畫

Leave a Reply