CISSP-ISSEP Question #97: Real Exam Question with Answer & Explanation

Question

Which of the following phases of the ISSE model is used to determine why the system needs to be built and what information needs to be protected?

Options

• ADevelop detailed security design
• BDefine system security requirements
• CDiscover information protection needs
• DDefine system security architecture

Explanation

Discover Information Protection Needs is the first phase of the ISSE model, explicitly focused on understanding the why behind a system and what assets require protection. It establishes the business context, identifies sensitive information, and uncovers threats - laying the foundation for every subsequent phase.

Why the distractors are wrong:

• A. Develop detailed security design - this is a later phase concerned with specifying technical controls and security mechanisms, not with discovery.
• B. Define system security requirements - this phase translates discovered needs into specific, measurable security requirements; it comes after protection needs are already understood.
• D. Define system security architecture - this phase structures how security components fit together at a high level; it depends on requirements already being defined.

Memory tip: Think of the ISSE phases as a funnel - Discover → Define needs → Define architecture → Design → Implement. The word "Discover" signals the very start of the process, like a detective asking "Why are we here and what are we protecting?" before doing anything else. If a question asks about purpose or what to protect, it belongs to the Discover phase.

No community discussion yet for this question.