nerdexam
(ISC)2

CISSP-ISSEP · Question #50

Which of the following approaches can be used to build a security program? Each correct answer represents a complete solution. Choose all that apply.

The correct answer is C. Bottom-Up Approach D. Top-Down Approach. Bottom-Up (C) and Top-Down (D) are the two recognized approaches for building a security program. In the Top-Down approach, senior management initiates and drives the security program - policies and goals flow down from executives to technical staff, ensuring organizational buy-i

Governance and Training

Question

Which of the following approaches can be used to build a security program? Each correct answer represents a complete solution. Choose all that apply.

Options

  • ARight-Up Approach
  • BLeft-Up Approach
  • CBottom-Up Approach
  • DTop-Down Approach

How the community answered

(31 responses)
  • A
    3% (1)
  • B
    6% (2)
  • C
    90% (28)

Explanation

Bottom-Up (C) and Top-Down (D) are the two recognized approaches for building a security program. In the Top-Down approach, senior management initiates and drives the security program - policies and goals flow down from executives to technical staff, ensuring organizational buy-in and adequate resources. In the Bottom-Up approach, technical staff (like IT or security teams) identify risks and build security controls from the ground up, often without formal executive sponsorship - less ideal but common in practice.

"Right-Up" (A) and "Left-Up" (B) are fabricated distractors with no meaning in security frameworks or standards (NIST, ISO 27001, CISSP domains, etc.). They exist solely to test whether you know the real terminology.

Memory tip: Think of a corporate org chart - security programs travel either down from the CEO/board (Top-Down) or up from the sysadmin/security analyst (Bottom-Up). If a direction doesn't map to vertical movement on that chart, it's a distractor.

Topics

#Security program#Program development#Security strategy#Management approaches

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice