Effective CISSP Questions

Which of the following is not one of the common assessment methods used in a risk-based audit? (Wentz QOTD)
A. Examining
B. Interviewing
C. Testing
D. Delphi method

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Delphi method.

Audit Parties
Audit Parties

NIT SP 800-53A R4

NIT SP 800-53A R4 “defines the three assessment methods that can be used by assessors during security and privacy control assessments: (i) examine; (ii) interview; and (iii) test. The application of each method is described in terms of the attributes of depth and coverage, progressing from basic to focused to comprehensive.”

CISA Review Manual, 26th Edition

According to CISA review manual, 26th edition, IS audit is the formal examination, interview and/or testing of information systems to determine whether:
– Information systems are in compliance with applicable laws, regulations, and/or industry guidelines.
– IS data and information have appropriate levels of confidentiality, integrity and availability.
– IS operations are being accomplished efficiently and effective targets are being met.

Audit as Independent Assessment

Assessments conducted by independent parties are called audits. First-party audits are conducted by the internal audit function or department. Second-party audits are conducted by external parties such as first-tier customers per the contractual requirements. Third-party audits are conducted by external parties like the big four accounting firms or ISO certification bodies.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

以下哪項不是基於風險的審計(risk-based audit)中常用的評鑑方法?(Wentz QOTD)
A. 查驗 (Examining)
B. 訪談 (Interviewing)
C. 測試 (Testing)
D. 德爾菲法 (Delphi)

2 thoughts on “CISSP PRACTICE QUESTIONS – 20210510

  1. Hi Wentz,

    I didn’t got the sentence “Second-party audits are conducted by external parties such as first-tier customers per the contractual requirements.” who are they?
    Could you please explain bit?

Leave a Reply