Exam CISSP topic 1 question 35 discussion

I am thinking "D" - I don't like this question. DLC Phases The entire SDLC process divided into the following SDLC steps: Phase 1: Requirement collection and analysis Phase 2: Feasibility study Phase 3: Design Phase 4: Coding Phase 5: Testing Phase 6: Installation/Deployment Phase 7: Maintenance The requirement is the first stage in the SDLC process. It is conducted by the senior team members with inputs from all the stakeholders and domain experts in the industry. Planning for the quality assurance requirements and recognization of the risks involved is also done at this stage. This stage gives a clearer picture of the scope of the entire project and the anticipated issues, opportunities, and directives which triggered the project. Requirements Gathering stage need teams to get detailed and precise requirements. This helps companies to finalize the necessary timeline to finish the work of that system. https://www.guru99.com/software-development-life-cycle-tutorial.html#3

Planning is an audit phase

You check the requirements before starting to Plan.

B. Risk assessment When auditing the Software Development Life Cycle (SDLC), risk assessment is a key high-level audit phase. The purpose of an SDLC audit is to evaluate risks in software development, including security vulnerabilities, compliance issues, and operational risks. Risk assessment helps determine whether security controls and compliance measures are adequately incorporated at each SDLC phase. For the other options I think! A. Planning → Planning is an SDLC phase, but it's not specifically a high-level audit phase. C. Due diligence → Due diligence is more related to business risk management rather than SDLC auditing. D. Requirements → Requirements gathering is part of SDLC but not a distinct audit phase. Thus, risk assessment (B) is the best choice as it aligns with SDLC audit objectives.

The answer is A. Planning. Here's a breakdown of the high-level audit phases within an SDLC audit: Planning: This phase involves defining the audit's scope, objectives, and methodology. It includes identifying the specific areas of the SDLC to be audited, such as requirements gathering, design, development, testing, and deployment. Execution: This phase involves conducting the actual audit, which may include reviewing documentation, interviewing stakeholders, and performing tests. Reporting: This phase involves documenting the audit findings, including any identified issues or risks. The report is typically shared with management and other relevant stakeholders. While risk assessment and due diligence are important aspects of software development, they are not typically considered high-level audit phases. Requirements are part of the SDLC but are not an audit phase.

In the context of auditing the SDLC, Planning is a high-level audit phase that is critical for setting the direction and scope of the audit. It lays the groundwork for the audit team's approach and ensures that all subsequent activities are aligned with the audit objectives.

The high-level audit phases typically include: Planning: This phase involves defining the scope of the audit, identifying objectives, and developing an audit plan. Execution: This phase involves collecting evidence, conducting interviews, and reviewing documentation. Reporting: This phase involves analyzing the evidence, drafting the audit report, and communicating findings to management. Therefore, planning is one of the high-level audit phases when auditing the SDLC.

The question is - which of the following is a high level audit phase? So Due Diligence appears to be high-level. So the given answer probably correct but would like to confirm this.

D. documentation supports D as the correct answer.

D is correct. Read page 767 of the Official CISSP CBK Reference, (6th editon).

Answer: Planning GENERAL SDLC AUDIT PROCEDURE: plan/prepare, describe process, evaluate/report, followup Slide 17 https://s3.amazonaws.com/kajabi-storefronts-production/file-uploads/sites/69255/themes/2154025622/downloads/50fa5a8-d4c-27cf-08cb-023ecccc54e3_Monica_Chis-SDLC-AUDIT-AUGUST-9.pdf

A/D are the same meaning, Planning is part of requirement. Answer is C because its part of Due diligence in auditing process

A - Plan is the only one listed - https://aws.amazon.com/what-is/sdlc/#:~:text=The%20software%20development%20lifecycle%20(SDLC,expectations%20during%20production%20and%20beyond.

It is ABSOLUTELY D: Official CISSP CBK (6th edition): Software Development Auditing phases: - Requirements phase - Requirements phase - Implementation phase - Verification phase - Operation and maintenance phase

Every option is under the due diligence

"A" Question is for "Audit phases" not SDLC steps: Phase 1: Requirement collection and analysis Phase 2: Feasibility study Phase 3: Design Phase 4: Coding Phase 5: Testing Phase 6: Installation/Deployment Phase 7: Maintenance

A. Planning Planning phase also includes requirements, a wish list of the stakeholders/senior management and experts, which at this point the audit will gather all items the will audit as SDLC moves from one phase to the next.