Effective CISSP Questions

As the CISO of a multinational corporation, which of the following least likely belongs to one of your responsibilities? (Wentz QOTD)
A. Formulate the corporate strategy
B. Report to the CFO as your supervisor
C. Support delivery of products and services
D. Establish an information security management system

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Formulate the corporate strategy.

Levels of Strategy
Levels of Strategy

Typically, the CEO is in charge of formulating the corporate strategy, or the grand strategy, with inputs from the board and support from the senior management team.

The CISO is not the primary role in developing the corporate strategy but the information security strategy that aligns with the corporate strategy to create value and fulfill the organizational vision and mission. Besides, he has to position the security function (department), determine its organization, roles, and responsibilities, integrate security into organizational processes, support continuous delivery of products and services (the so-called “business continuity”), and protect information assets to enforce security. An information security management system (ISMS) ensures security policies are developed and implemented effectively.

The reporting line of the CISO varies across organizations and has pros and cons, but it’s not impossible for the CISO to report to the CFO or other senior officers.

  • The arrangement that a CISO reports to the CIO may lead to a conflict of interest.
  • The arrangement that a CISO reports to the CFO may consume more time to communicate technical stuff.
  • The arrangement that a CISO reports to the audit function will adversely affect its independence.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

作為一家跨國公司的CISO,以下哪項最不可能是您的責任? (Wentz QOTD)
A. 制定企業戰略
B. 向您的主管CFO報告
C. 支持產品和服務的交付
D. 建立資訊安全管理系統 (ISMS)

1 thought on “CISSP PRACTICE QUESTIONS – 20210415

  1. Pingback: 戰略層次(Levels of Strategy) – Choson資安大小事

Leave a Reply