Effective CISSP Questions

As a CISO, you report to the CEO directly and are invited, from time to time, to sit in the board room for consulting. Which of the following best assures the CEO, the board, and other stakeholders that information security governance is sound and appropriate?
A. Information security policy
B. Security audit
C. Risk assessment
D. Information security strategy

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Security audit.

Assessment, attestation, and auditing provide assurance, which is about one’s confidence in something. Removing someone’s doubts increases confidence and delivers assurance.

An audit is one type of independent assessment that follows specific criteria and standards. An audit delivers the highest level of assurance because of its objectivity and independence.

A risk assessment identifies, analyzes, and evaluates risks, but it doesn’t respond to risk or apply risk treatment. It’s part of information security governance.

A well-crafted information security strategy creates value only if it is executed or implemented effectively. Performance measurement and audits are applied for monitoring, improvement, and correction. The strategic plan of information security can be reviewed, but it delivers little assurance if it is not executed, evaluated, and audited.

Information security policy demonstrates the management intention, or that of the CISO specifically, to support the implementation of the information security strategy. As a CISO, you develop the information security strategy, issue the information security policy to direct the implementation of the strategy, and conduct risk assessments to ensure the objectives are achieved as expected. Internal or external auditors conduct audits to ensure compliance with the policy and standards, that delivers assurance to the CEO, the board, and other stakeholders.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

  • It is available on Amazon.
  • Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

Leave a Reply