1.5. Reflection Checkpoint

Key Takeaways

• The CISSP measures managerial judgment, not technical depth alone — always ask "what would a reasonable, risk-aware CISO do?" before choosing an answer.
• CIA+AN (confidentiality, integrity, availability, authenticity, nonrepudiation) is the analytical lens for every security question — identify which pillar is at stake first.
• Control types (preventive/detective/corrective/compensating/deterrent/directive/recovery) and implementation categories (administrative/technical/physical) are orthogonal — every control has both attributes.
• Risk vocabulary is precise: asset ≠ threat ≠ vulnerability ≠ risk. The four response options are avoid, mitigate, transfer, and accept.
• Defense in depth means independent, layered controls — not just more controls.

Connecting Forward

Phase 2 takes these first principles into Domain 1: Security and Risk Management — the highest-weighted domain on the exam. You'll use the risk management vocabulary from Section 1.4 to navigate qualitative vs. quantitative analysis, the CIA framework to evaluate legal and regulatory requirements, and the control categories to design security governance programs. Everything in Phase 1 has a direct application in Phase 2.

Self-Check Questions

• An organization's legal team insists on retaining a legacy system that cannot be patched. As the CISO, you implement additional network monitoring around it. Which risk response strategy did you apply, and what are your obligations regarding documentation?
• A colleague argues: "Adding more security controls always makes us more secure." Using the principles from Phase 1, construct a counterargument with a concrete example.