Effective CISSP Questions

As a CISO, which of the following should you consider first?
A. Develop information security policies
B. Conduct business continuous planning
C. Formulate information security strategy
D. Implement information security programs

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Formulate information security strategy.

Business Continuity Policy
Business Continuity Policy

Top management fulfills the organizational mission and vision by formulating strategic plans or strategies and directs the implementation of strategies through policies. A strategy typically comprises a collection of portfolios, programs, and projects. There are many types of policies, e.g., program policy, issue-specific policy, system-specific policy, etc. A program policy directs the execution of a program.

My book, The Effective CISSP: Security and Risk Management, has details about strategic management.


  • A policy refers to “intentions and direction of an organization as formally expressed by its top management.” (ISO 21401:2018)
  • A policy is a “set of rules related to a particular purpose,” (ISO 19101-2:2018) reflecting the management intents.
  • A policy is “a statement of objectives, rules, practices or regulations governing the activities of people within a certain context.” (NISTIR 4734)



My book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

A. 制定信息安全政策(policy)
B. 進行業務持續計劃(plan)
C. 制定信息安全戰略(strategy)
D. 實施信息安全計晝(program)

1 thought on “CISSP PRACTICE QUESTIONS – 20210310

  1. Pingback: 資訊安全戰略(information security strategy) – Choson資安大小事

Leave a Reply