Effective CISSP Questions

As a CISO, you issue a policy that mandates every employee shall be aware of social engineering attacks. A supporting standard is then developed that requires everyone shall accept at least three or more hours of awareness training each year. Which of the following activities is the best upcoming activity conducted to enforce the policy?
A. Penetration testing
B. Security assessment
C. Vulnerability assessment
D. Risk assessment

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Security assessment.

Enforcing a Policy

According to the Google dictionary, “enforce” means “compel observance of or compliance with (a law, rule, or obligation).” Enforcing the policy can be viewed as requiring someone or something to be compliant with the policy.

To enforce the policy, we have to know how good it is followed or implemented first. Assessment is the means to determine the extent to which the policy is enforced.


However, “assessment” refers to different things in various contexts.

  • In the context of information security, an assessment is performed to evaluate the fulfillment of specified requirements.
  • It refers to the wrapper process of risk identification, risk analysis, and risk evaluation in the context of risk management in terms of ISO 31000 or ISO 27005.

Risk Assessment

As a CISO, you are aware of and have identified the risk of social engineering. You decide to respond to this risk after analyzing and evaluating it, so you issued a policy, as a risk response, that mandates awareness of the risk and had the supporting standard defined.

Now that you have finished the first run of risk assessment and risk response. You need to decide if the residual risk is acceptable. If not, another run of risk assessment is needed. To determine the residual risk, you have to understand or measure the performance of your controls (policy, standard, training, etc.) as part of the risk response strategy. As a result, the next run of the risk assessment is not the best activity taken at this time.

Security Assessment

Security assessment may refer to security control assessment (SCA) or information security assessment (ISA). Security control assessment (SCA) is part of the information security assessment (ISA); they are similar but have different scope.

Security assessment generally refers to the evaluation applied to the information system, its components and environment, and the security controls that enforce security, through testing, examination, and interviewing.

  • Penetration testing is one type of testing, part of security assessment
  • Vulnerability assessment can be viewed as part of a security assessment or even part of penetration testing.  Terms such as vulnerability scan, vulnerability assessment, and vulnerability management are commonly used but without consistent definitions.


The question appears to be asking for an assesment of a specific awareness program to combat social engineering – something that good red teams excel at – but “security assesment” is usually a generic assesment of an a product/department’s security?

Source: @GS from

According to the NIST glossary, security assessment refers to “the testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.”

Testing, examination, and interviewing are common assessment methods. An assessor or auditor can interview employees, test them by phishing emails, and review training logs. There is a comprehensive way for a security assessment to enforce the policy. Penetration testing, one form of testing, is too limited, compared with a generic or comprehensive security assessment.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

  • It is available on Amazon.
  • Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.


Leave a Reply