Practice and strategy · Module 9

Capstone professional practice

Pick one system you understand.

1.5h 3 outcomes Cybersecurity Practice and Strategy

Previously

System ilities

System ilities are the properties that decide whether you survive a bad day.

This module

Capstone professional practice

Pick one system you understand.

Next

Cybersecurity Practice and Strategy practice test

Test recall and judgement against the governed stage question bank before you move on.

Progress

Mark this module complete when you can explain it without rereading every paragraph.

Why this matters

Produce a short professional pack you could defend in a review.

What you will be able to do

  • 1 Produce a defensible pack that links risks, controls, and evidence
  • 2 Explain your security posture to a non technical stakeholder
  • 3 Choose what to do next quarter and why

Before you begin

  • You are ready to pick one system and stay in scope

Common ways people get this wrong

  • Unprovable claims. Confidence is not evidence. A pack must be testable and reviewable.
  • Stale documentation. If the pack is not updated with the system, it becomes misleading.

Pick one system you understand. Produce a short professional pack you could defend in a review. Include the system goal, the highest impact risks, the most important controls, and the evidence you would keep.

Mental model

Operational security pack

A defensible system pack joins risks, controls, verification, and evidence.

  1. 1

    System scope

  2. 2

    Top risks

  3. 3

    Controls

  4. 4

    Verification

  5. 5

    Evidence

Assumptions to keep in mind

  • Controls map to evidence. If you cannot show evidence, the control is not yet real.
  • Evidence is safe to share. Evidence should be useful without exposing secrets. Redact deliberately.

Failure modes to notice

  • Unprovable claims. Confidence is not evidence. A pack must be testable and reviewable.
  • Stale documentation. If the pack is not updated with the system, it becomes misleading.

Check yourself

Quick check. Capstone

0 of 4 opened

What makes a capstone defensible

Clear scope, clear risk choices, and clear evidence you can show.

Why include evidence

Evidence turns claims into something you can verify and audit.

Scenario. You present a security pack to leadership. What is one thing that makes it immediately more credible

A concrete artefact such as an access review record, a threat model with owners, or a tested incident exercise write up with lessons and actions.

What is one useful evidence artefact

A threat model, an access review record, or an incident exercise write up.

Artefact and reflection

Artefact

An operational security pack you can reuse

Reflection

Where in your work would produce a defensible pack that links risks, controls, and evidence change a decision, and what evidence would make you trust that change?

Optional practice

Capture the system scope, top risks, controls, verification, and evidence in one defensible pack.

Also in this module

Map controls to a framework

Use a framework map to make your controls explainable and auditable.

Sources

Source NIST Cybersecurity Framework (CSF) 2.0 (2024)
Source OWASP Top 10 (2025)
Source OWASP ASVS 5.0.0
Source ISO/IEC 27001:2022 Information security management systems
Back to Cybersecurity