What is the purpose of using an artifact traceability matrix in ISSAP?

An artifact traceability matrix is used to ensure that every security requirement is carried through the design and validation phases. It creates a clear link from business and security requirements to the specific design decisions, implemented controls, and test cases, showing how each requirement is realized in the architecture and how it will be verified. This alignment across business, security, and technical elements makes it easier to confirm coverage, perform impact analysis when requirements or threats change, and provide auditability for compliance. For example, a requirement to protect data in transit would be traced to design choices like TLS configuration, key and certificate management, and network segmentation; to controls such as encryption in transit and secure key lifecycle; and to test cases like TLS configuration tests and certificate rotation tests. This clarity is why the artifact traceability matrix best fits the purpose described. The other options describe different tasks—project timelines, license tracking, or stakeholder contact storage—that do not capture the role of aligning requirements with design, controls, and verification.