🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 1.5 - Manage the Security Function (Part 1 of 2)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series covers how the security effort is actually run and steered, continuing Domain 1. It looks at security as an ongoing, measurable program, how leadership drives it and ties it to the wider business, the layers of planning that keep it on course, and the people who share its responsibilities.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

Why must security be measurable?

Because you cannot improve what you cannot see. Measurable security means each mechanism does its job, delivers a clear benefit, and produces metrics you can record and analyze. When you deploy a safeguard, the numbers should show fewer bad events or more caught attempts, and evaluating those metrics is how you judge whether the whole program is complete and effective.

Who leads security, and how?

Senior management leads it, using a top-down approach. Upper management sets the policies that give direction, middle management turns those policies into standards, baselines, guidelines, and procedures, operational staff implement the prescribed configurations, and end users comply. The opposite — a bottom-up approach where technical staff decide security alone without leadership input — is rare and considered a problem.

How should the security team be positioned?

It should be autonomous, led by a chief information security officer who reports straight to senior leadership, whether to the chief information officer, the chief executive, or the board. That direct line keeps security out of departmental politics. Approval from the top is the one factor no plan can survive without — a policy the leadership does not back and commit to will simply fail.

What kinds of security plans do you build?

Three plan types work together, differing in how far ahead they look and how much detail they carry. A strategic plan is long-term and fairly stable, defining your security purpose and including a risk assessment. A tactical plan is midterm, scheduling the concrete tasks that reach strategic goals — like project, hiring, and budget plans. An operational plan is short-term and highly detailed, spelling out resource allotments, staffing, scheduling, and step-by-step procedures.

Who fills the key security roles?

The senior manager owns overall security, signs off on policy, and is ultimately held liable. The security professional writes and implements the policy but does not make the decisions. The asset owner classifies information for protection and hands day-to-day data work to a custodian, who performs the actual protections like backups and integrity checks. The user gets only the access their job needs under least privilege, and the auditor reviews whether the policy is properly implemented and reports back to the senior manager.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 1.5 - Manage the Security Function (Part 1 of 2).