ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 15 Topic 2 Discussion

CISSP Exam Topic 2 Question 15 Discussion:

Question #: 15

Topic #: 2

When assessing an organization’s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?

Only when assets are clearly defined

Only when standards are defined

Only when controls are put in place

Only procedures are defined

Get Premium CISSP Questions

Explanation

When assessing an organization’s security policy according to standards established by the ISO 27001 and 27002, management responsibilities can be defined only when standards are defined. Standards are the specific rules, guidelines, or procedures that support the implementation of the security policy. Standards define the minimum level of security that must be achieved by the organization, and provide the basis for measuring compliance and performance. Standards also assign roles and responsibilities to different levels of management and staff, and specify the reporting and escalation procedures.

Management responsibilities are the duties and obligations that managers have to ensure the effective and efficient execution of the security policy and standards. Management responsibilities include providing leadership, direction, support, and resources for the security program, establishing and communicating the security objectives and expectations, ensuring compliance with the legal and regulatory requirements, monitoring and reviewing the security performance and incidents, and initiating corrective and preventive actions when needed.

Management responsibilities cannot be defined without standards, as standards provide the framework and criteria for defining what managers need to do and how they need to do it. Management responsibilities also depend on the scope and complexity of the security policy and standards, which may vary depending on the size, nature, and context of the organization. Therefore, standards must be defined before management responsibilities can be defined.

The other options are not correct, as they are not prerequisites for defining management responsibilities. Assets are the resources that need to be protected by the security policy and standards, but they do not determine the management responsibilities. Controls are the measures that are implemented to reduce the security risks and achieve the security objectives, but they do not determine the management responsibilities. Procedures are the detailed instructions that describe how to perform the security tasks and activities, but they do not determine the management responsibilities.

Actual exam question for ISC CISSP exam by Hale32947 at Aug 3, 2025, 12:00:00 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 15 Topic 2 Discussion

ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 15 Topic 2 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 15 Topic 2 Discussion

ISC Certified Information Systems Security Professional (CISSP) CISSP Question # 15 Topic 2 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval