nerdexam
(ISC)2

CISSP · Question #1136

A company is moving from the V model to Agile development. How can the information security department BEST ensure that secure design principles are implemented in the new methodology?

The correct answer is D. Information security requirements are captured in mandatory user stories.. When transitioning to Agile, security must be embedded natively into the development process using Agile artifacts. Capturing security requirements as mandatory user stories ensures they are treated as first-class development tasks within each sprint.

Submitted by lars.no· Mar 5, 2026Software Development Security

Question

A company is moving from the V model to Agile development. How can the information security department BEST ensure that secure design principles are implemented in the new methodology?

Options

  • AAll developers receive a mandatory targeted information security training.
  • BThe non-financial information security requirements remain mandatory for the new model.
  • CThe information security department performs an information security assessment after each
  • DInformation security requirements are captured in mandatory user stories.

How the community answered

(56 responses)
  • A
    9% (5)
  • B
    4% (2)
  • C
    16% (9)
  • D
    71% (40)

Why each option

When transitioning to Agile, security must be embedded natively into the development process using Agile artifacts. Capturing security requirements as mandatory user stories ensures they are treated as first-class development tasks within each sprint.

AAll developers receive a mandatory targeted information security training.

Security training improves developer awareness but does not directly ensure that secure design principles are systematically implemented or verified within the Agile development workflow itself.

BThe non-financial information security requirements remain mandatory for the new model.

Mandating non-financial security requirements does not integrate security into the Agile process mechanics; it merely carries over a policy constraint without providing a methodology-native mechanism for tracking or implementing secure design within sprints.

CThe information security department performs an information security assessment after each

Performing security assessments after each sprint is a reactive, detective control that identifies issues post-development, whereas the question asks for the best way to ensure secure design principles are implemented proactively during development.

DInformation security requirements are captured in mandatory user stories.Correct

In Agile methodology, user stories are the primary mechanism for capturing and tracking requirements within sprints and backlogs. By encoding information security requirements as mandatory user stories, security becomes an integral, trackable, and actionable part of each iteration rather than an afterthought, directly aligning with the 'shift-left' security principle and ensuring secure design is built in from the start of each development cycle.

Concept tested: Integrating security requirements into Agile user stories

Source: https://www.cisecurity.org/insights/white-papers/agile-development-secure-coding

Topics

#Agile security#secure SDLC#user stories#requirements engineering

Community Discussion

No community discussion yet for this question.

Full CISSP Practice