Question 9 - Exin ISMP Real Exam Questions [Feb 2026 Update]

Q: 9

In a company the IT strategy is migrating towards a Service Oriented Architecture (SOA) so that migrating to the cloud is better feasible in the future. The security architect is asked to make a first draft of the security architecture. Which elements should the security architect draft?

Options

Correct Answer:

Explanation

The primary task when creating a first draft of a security architecture is to define its fundamental components and their placement. This involves identifying which security services are needed (e.g., identity and access management, data encryption, logging, threat detection) and specifying where they fit within the broader enterprise architecture (e.g., application, data, technology layers). For a Service Oriented Architecture (SOA), this means designing security as a set of consumable services. This high-level blueprint establishes the core structure, ensuring security is integrated by design, before detailed controls, policies, or management processes are developed.

Why Incorrect

A. Management and control of the security services are operational and governance aspects that are defined after the core architecture is established.

B. The information security policy and risk assessment are foundational inputs that inform and guide the architectural design, not the direct outputs of the initial draft.

References

1. The Open Group. (2018). The TOGAF® Standard, Version 9.2. Van Haren Publishing. In Part III, Chapter 22, "Security Architecture," the methodology describes identifying security "building blocks" (services) and ensuring they are positioned correctly within the Business, Data, Application, and Technology Architectures. This aligns with defining what services are provided and where.

2. Voerman, J., & Baars, H. (2020). Information Security based on ISO/IEC 27002:2022. Van Haren Publishing. Control A.8.25, "Architecture and engineering principles," emphasizes the need to establish and apply principles for engineering secure systems, which includes the architectural design of security services as a foundational step.

3. Sabsa.org. (2009). The SABSA Method. The SABSA framework, a widely recognized methodology for security architecture, begins with a contextual layer (business requirements) and moves to a conceptual layer where business services, including security services, are defined. This supports the idea of first defining which services are provided.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE