| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 3.2 - Project Scope & Planning (Part 2 of 2)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series picks up the scope and planning phase from Domain 1 where the last part left off, turning to the resources a continuity effort consumes and the outside forces that shape it — the vendors, laws, and contracts your plan quietly depends on.
What this episode covers
- Three resource phases — development, then testing, training, and maintenance, then implementation, when demands spike sharply.
- Labor as the dominant cost — people are the single largest resource consumed, and leadership feels every hour.
- Defending the business case — expect a microscope, especially when you ask for senior executives’ time.
- External dependencies — technology vendors and legal frameworks that can disrupt operations at the worst moment.
- Vendor assurance — checking service-level agreements and restore commitments, since a contract alone is not enough due diligence.
- SOC reports — independent audit reports in three tiers, with higher tiers covering security, privacy, and availability.
- Laws, regulations, and contracts — sector mandates, fiduciary duty, and keeping legal counsel involved start to finish.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What resources does a continuity effort actually consume?
Resource needs fall across three distinct phases. During development, the team builds the four elements of the plan, and the main cost is the time and effort of the members and the staff they lean on. During testing, training, and maintenance, you spend some money on hardware and software, but the bulk of the cost is still people’s effort, and during implementation, when a real disaster forces the full plan into action, demands spike sharply with heavy effort and direct financial expense.
Why is labor the cost that leadership scrutinizes most?
Because the single largest resource a continuity plan burns is your people, and while many security professionals overlook the price of that labor, leadership never does. Executives feel every hour that a side project pulls staff away from productive work, and they know the real cost of salary, benefits, and lost opportunity. That scrutiny gets sharpest when you ask for the time of senior executives themselves, so come prepared to defend your proposal with clear, logical arguments rooted in the business case.
What external dependencies can quietly break your plan?
A robust plan does not just look inward at your own processes; it looks outward at everyone you rely on. Dependencies stretch from technology vendors supplying hardware, software, and cloud services, to the legal and regulatory frameworks that govern your response. Each outside factor carries risk if left unexamined, so the plan should make the roles and responsibilities of external parties clear and put contingency plans in place for when they falter.
How do you gain assurance about your vendors?
When you outsource something critical, check whether the contract spells out the service-level agreement and the provider’s commitments to restore operations after a disaster. But a contract alone is not enough due diligence — you should verify the vendor actually has the controls to deliver on those promises. Many vendors hire an independent auditing firm and share the results as a System and Organization Controls (SOC) report; the simplest tier covers only internal controls over financial reporting, so to judge security, processing integrity, confidentiality, privacy, or availability you review one of the higher-tier reports instead.
How do laws, regulations, and contracts shape your obligations?
Heavily, and the stakes vary by sector: some industries face laws mandating specific continuity measures, officers and directors of publicly traded firms carry a fiduciary duty of due diligence, emergency services owe their communities uninterrupted operation, and financial institutions face strict rules meant to protect the wider economy. Even without a specific law, a service-level agreement you signed can put you in breach if a disaster stops you from delivering. Bring your legal counsel into the process and keep them there through testing and maintenance, because laws shift constantly and vary by jurisdiction.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 3.2 - Project Scope & Planning (Part 2 of 2).