nerdexam
(ISC)2

CISSP · Question #9

When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

The correct answer is D. After the business functional analysis and the data security categorization have been performed. In the SDLC, security functional requirements must be defined after understanding both the business needs and the data classification, ensuring security controls are appropriately scoped before design begins.

Submitted by ashley.k· Mar 5, 2026Security Engineering

Question

When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

Options

  • AAfter the system preliminary design has been developed and the data security categorization has
  • BAfter the vulnerability analysis has been performed and before the system detailed design begins
  • CAfter the system preliminary design has been developed and before the data security
  • DAfter the business functional analysis and the data security categorization have been performed

How the community answered

(29 responses)
  • A
    3% (1)
  • B
    10% (3)
  • C
    3% (1)
  • D
    83% (24)

Why each option

In the SDLC, security functional requirements must be defined after understanding both the business needs and the data classification, ensuring security controls are appropriately scoped before design begins.

AAfter the system preliminary design has been developed and the data security categorization has

Defining security requirements after the preliminary design has already been developed is too late in the process, as design decisions may have already been made that conflict with or fail to accommodate necessary security controls.

BAfter the vulnerability analysis has been performed and before the system detailed design begins

Vulnerability analysis is a later-phase activity that occurs after requirements and design are established; basing security requirements on vulnerability analysis reverses the proper SDLC order and omits the critical business functional analysis input.

CAfter the system preliminary design has been developed and before the data security

Defining security requirements after the preliminary design but before data security categorization is incorrect because the design phase should not begin until both business analysis and data categorization are complete, making this sequence out of order.

DAfter the business functional analysis and the data security categorization have been performedCorrect

Security functional requirements can only be properly defined once the business functional analysis is complete (so the system's purpose and functions are understood) and the data security categorization has been performed (so the sensitivity and protection needs of the data are known). These two inputs together provide the foundation for determining what security controls and requirements are necessary before any system design work begins, following frameworks like NIST SP 800-64.

Concept tested: SDLC security requirements timing and sequencing

Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final

Topics

#SDLC security#security requirements#data classification#security by design

Community Discussion

No community discussion yet for this question.

Full CISSP Practice