CISSP Question #1143: Real Exam Question with Answer & Explanation

The correct answer is D: System analysis. Security requirements should be developed during the system analysis phase of the system life cycle, where functional and non-functional requirements-including security controls-are formally identified and documented.

Submitted by suresh_in· Mar 5, 2026Software Development Security

Question

In which of the following system life cycle processes should security requirements be developed?

Options

ARisk management
BBusiness analysis
CInformation management
DSystem analysis

Explanation

Security requirements should be developed during the system analysis phase of the system life cycle, where functional and non-functional requirements-including security controls-are formally identified and documented.

Common mistakes.

A. Risk management is an ongoing process used to identify, assess, and mitigate risks, but it is not the SDLC phase where security requirements are formally developed and documented.
B. Business analysis focuses on understanding organizational needs and defining business objectives, not on the technical specification of security requirements for a system.
C. Information management deals with the governance, storage, and handling of data assets and is not an SDLC phase dedicated to eliciting or developing system security requirements.

Concept tested. Security requirements development within SDLC phases

Reference. https://csrc.nist.gov/publications/detail/sp/800-160/vol-1/final

Topics

#SDLC#security requirements#system analysis#security by design

Community Discussion

No community discussion yet for this question.

Full CISSP Practice Browse All CISSP Questions