nerdexam
(ISC)2

CISSP · Question #1143

In which of the following system life cycle processes should security requirements be developed?

The correct answer is D. System analysis. Security requirements should be developed during the system analysis phase of the system life cycle, where functional and non-functional requirements-including security controls-are formally identified and documented.

Submitted by suresh_in· Mar 5, 2026Software Development Security

Question

In which of the following system life cycle processes should security requirements be developed?

Options

  • ARisk management
  • BBusiness analysis
  • CInformation management
  • DSystem analysis

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    6% (2)
  • D
    88% (28)

Why each option

Security requirements should be developed during the system analysis phase of the system life cycle, where functional and non-functional requirements-including security controls-are formally identified and documented.

ARisk management

Risk management is an ongoing process used to identify, assess, and mitigate risks, but it is not the SDLC phase where security requirements are formally developed and documented.

BBusiness analysis

Business analysis focuses on understanding organizational needs and defining business objectives, not on the technical specification of security requirements for a system.

CInformation management

Information management deals with the governance, storage, and handling of data assets and is not an SDLC phase dedicated to eliciting or developing system security requirements.

DSystem analysisCorrect

System analysis is the phase of the system development life cycle (SDLC) where stakeholder needs are translated into detailed system requirements, including security requirements such as access controls, data protection, and compliance mandates. Identifying security requirements at this stage ensures they are built into the system design from the ground up rather than retrofitted later, following the 'secure by design' principle.

Concept tested: Security requirements development within SDLC phases

Source: https://csrc.nist.gov/publications/detail/sp/800-160/vol-1/final

Topics

#SDLC#security requirements#system analysis#security by design

Community Discussion

No community discussion yet for this question.

Full CISSP Practice