Effective CISSP Questions

Compliance requirements are crucial to organizations. As an auditor, which of the following is least likely to be included in the audit scope?
A. Organizational policies issued by the policy approval authority
B. Code of ethics defined in the ethics program
C. Rules formulated by the regulatory agency
D. Inapplicable laws legislated by the Congress

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Inapplicable laws legislated by the Congress.

The diagram demonstrates typical compliance requirements. “A legal audit is an appraisal of an organization’s operations to determine its compliance with the laws and regulations that apply to it.” (Harris) In other words, laws inapplicable to an organization are typically not concerns of an auditor and won’t be included in the audit scope.

It’s also a crucial issue for a global company with branches or subsidiaries around the world to identify applicable laws and regulations. Laws applicable to branches and subsidiaries and the headquarters may vary.

Both laws and regulations are rules. However, there exist differences between them.

  • Laws are written by legislators and goes through the bill process.
  • Regulations are created by a government agency, often to implement a
    given law.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

The Effective CISSP - SRM

The Effective CISSP: Practice Questions

The Effective CISSP: Practice Questions

符合性(compliance)要求對組織至關重要。 作為稽核員,以下哪項最不可能被納入稽核範圍?
A. 政策批准機構發布的組織政策
B. 道德計畫中定義的道德守則
C. 監管機構制定的規則
D. 國會立法的不適用法律


2 thoughts on “CISSP PRACTICE QUESTIONS – 20201010

Leave a Reply