| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 20.1 - Introducing Systems Development Controls (Part 4 of 5)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series turns Domain 8 toward maturity models, project scheduling, and the disciplines that keep changing software under control. It measures how organizations mature and govern change, offering the yardsticks used to hold both internal teams and outside partners to account.
What this episode covers
- Principles of agile at scale — economic thinking, systems thinking, value flow, cadence, and decentralized decisions.
- The Capability Maturity Model — five stages from initial to optimizing, on the premise that quality follows process.
- The Software Assurance Maturity Model — folding security into build and maintenance across five business functions.
- The IDEAL model — initiating, diagnosing, establishing, acting, and learning as a cycle of improvement.
- Scheduling and sizing tools — the Gantt chart for timing and the review technique for size, risk, and dependencies.
- Change and configuration management — request, change, and release control, plus identification, control, accounting, and audit.
- DevOps and DevSecOps — merging development, security, and operations into one fast, automated pipeline.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How does the Capability Maturity Model chart the road from chaos to discipline?
The model holds that every software organization climbs the same five stages in order, on the premise that software quality follows process quality. Level one is initial, with little defined process; level two, repeatable, adds basic life cycle management; level three, defined, uses standardized documented processes; level four, managed, adds quantitative measures; and level five, optimizing, feeds lessons back for continuous improvement. The model itself does not address security, so weaving security in is on you.
What does the Software Assurance Maturity Model add?
This open-source model exists specifically to fold security into the development and maintenance process, letting an organization assess its own maturity. It divides the work into five business functions: governance for managing the process, design for defining requirements and shaping the software, implementation for building and deploying components, verification for confirming code meets business and security requirements, and operations for keeping confidentiality, integrity, and availability intact after release.
What tools help you schedule and size a project?
A Gantt chart is a bar chart that maps tasks against time, showing how projects and schedules interrelate, which makes it ideal for coordinating work that shares people or resources. The program evaluation review technique helps you judge the size of a software product and gauge risk by combining the smallest, most likely, and largest likely size of each piece, while laying bare the dependencies between tasks.
How does change management keep production safe?
Once software is live, changes are managed in an organized way and logged to a central repository. The process has three parts: request control gives users a framework to ask for changes while managers weigh costs and developers set priorities; change control lets developers reproduce the situation, craft and test a fix, and document it; and release control approves the change for production and confirms that any debugging code or backdoor added as a temporary aid is stripped out before shipping.
How do DevOps and DevSecOps fold everything together?
For years development, quality assurance, and operations sat in separate silos that clashed and delayed releases. DevOps merges these three functions into one cooperative model, slashing the time to develop, test, and deploy so organizations can ship many times a day. Many teams prefer DevSecOps to signal that security joins as an equal partner, supporting software-defined security where controls are managed by code and drop straight into the continuous integration and delivery pipeline.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 20.1 - Introducing Systems Development Controls (Part 4 of 5).