Question 4 - ISC2 CISSP Exam Dumps with Answers & Explanations (2026)

Q: 4

When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

Options

Discussion

Arjun Mar 26, 2026 11:24 am

D. Security requirements have to be set right after business analysis and data categorization, not later in SDLC. If you wait until after vulnerability analysis or design phases, it's too late to integrate them fully.

MethodicalNeteng4453 Mar 30, 2026 9:29 am

Its D, not B. Vulnerability analysis comes after, trap for people mixing up SDLC order.

Liam X. Mar 26, 2026 10:06 am

Priya G. Mar 18, 2026 7:26 am

Kind of leaning toward B. Seems like you should lock down requirements right after vulnerability analysis is done.

Aisha K. Mar 12, 2026 7:17 am

Its D. Saw a similar question in some practice sets and D matched the official CISSP approach for when security requirements should be set.

Chloe Mar 22, 2026 1:02 am

Not B, D. Vulnerability analysis is later in the SDLC so B is a common trap here.

Aaron Mar 11, 2026 6:04 pm

No way it's B, D is right. Security functional requirements come after business analysis and data categorization, not after vulnerability analysis.

MiaF Mar 29, 2026 5:51 am

I don’t see how B fits since vulnerability analysis happens after requirements are set, not before. Security functional requirements need both the business analysis and knowing your data’s sensitivity, so D is the right sequence. Could be a tricky one if you miss that order.

Sara Q. Mar 23, 2026 7:02 am

Option B. Requirements usually get clearer after vulnerability checks but before detailed design.

Sam D. Mar 25, 2026 5:34 pm

I don't think it's B. D is correct here because vulnerability analysis comes a bit later in the SDLC, and CISSP usually expects security requirements to be set once business functions and data categorization are clear. B is a trap since it jumps ahead. Wouldn't surprise me if some practice sets tripped folks up on this one.

Be respectful. No spam.

Correct Answer:

Explanation

Software security functional requirements must be defined early in the Software Development Life Cycle (SDLC) to ensure security is built-in, not bolted on. This process logically follows the initial analysis of the system's purpose and the data it will handle. First, the business functional analysis determines what the system needs to do. Second, data security categorization (e.g., per FIPS 199) assesses the sensitivity of the information being processed. Only after understanding both the system's function and the data's value can appropriate and specific security requirements (e.g., access controls, encryption levels) be defined. This "shift left" approach is fundamental to secure systems engineering.

References

1. NIST Special Publication 800-64 Revision 2

Security Considerations in the System Development Life Cycle.

Section 2.1

Initiation Phase: This section states

"During the Initiation Phase

the need for a system is expressed and the purpose of the system is documented... Security requirements should be identified and discussed at this early stage." It explicitly links the initial business need and the security categorization (based on FIPS 199) as precursors to defining these requirements.

2. NIST Special Publication 800-160 Volume 1

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

Section 2.3.2

Stakeholder Needs and Requirements Definition Process: This section describes the process to "define the stakeholder requirements for a system." It emphasizes that this occurs at the beginning of the life cycle to capture all needs

including security

which are derived from the business or mission objectives and the required level of protection for assets.

3. Federal Information Processing Standards Publication (FIPS) 199

Standards for Security Categorization of Federal Information and Information Systems.

Section 3

Categorizing Information and Information Systems: This standard establishes the importance of categorizing information based on confidentiality

integrity

and availability impacts. This categorization is a foundational step in the risk management process and directly informs the selection of security controls and requirements early in the SDLC.

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE