Effective CISSP Questions

Your company sells toys online across the world. A PaaS supports the online EC system that accepts credit cards. The staff and management conduct periodic, proactive reviews of controls to assure stakeholders that the internal control system of the organization is reliable. Which of the following is the best description of this management practice? (Source: Wentz QOTD)
A. SOC-2 audit
B. PCI-DSS audit
C. ISO 27001 audit
D. Self-assessment

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Self-assessment.

  • An assessment conducted by the staff and management, better known as a self-assessment or evaluation, is not qualified as an audit, which is conducted by an independent entity.
  • A self-assessment is typically treated as a management practice for continuous improvement. It’s also common to conduct a self-assessment before an audit.
  • A self-assessment does provide some sort of assurance to stakeholders, but not as strong as an audit conducted by an independent entity (a first-, second- or third-party).

Assurance, Attestation, and Audit

Assure, Ensure, and Insure

  • To assure someone is to remove someone’s doubts.
  • To ensure something is to make sure it happens—to guarantee it.
  • To insure something or someone is to cover it with an insurance policy.

Audit as an Independent Assessment

An audit is one type of independent assessment. ISO 19011 defines an audit as a “systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [a set of policies, procedures or requirements] are fulfilled.”

Audit Types

Who Conducts Security Assessment

  • First-party audits, also known as internal audits, are conducted by the internal audit function, e.g., the audit committee under the board of directors.
  • Second-party audits are held against their proprietary requirements by external interested parties, e.g., first-tier customers.
  • Third-party audits are performed against a recognized standard by independent external bodies, such as the big four (Deloitte, EY, KPMG, and PwC) or ISO certification bodies (BSI, SGS, TUV, etc.), generally accepted as the most robust type of assurance system.


您的公司在全球線銷售玩具。 PaaS支持接受信用卡付款的電子商務系統。 員工和管理層定期對控制措施進行主動審查,以確保利害關係人對組織內部控制系統的可靠性有信心。 以下哪項是對這種管理做法的最好描述?(來源:Wentz QOTD)
A. SOC audit
B. PCI-DSS audit
C. ISO 27001 audit
D. 自我評估


My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

20200626-Get Your Copy Right Now


Leave a Reply