Which of the following is not one of the common assessment methods used in a risk-based audit? (Wentz QOTD)
A. Examining
B. Interviewing
C. Testing
D. Delphi method
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Delphi method.
NIT SP 800-53A R4
NIT SP 800-53A R4 “defines the three assessment methods that can be used by assessors during security and privacy control assessments: (i) examine; (ii) interview; and (iii) test. The application of each method is described in terms of the attributes of depth and coverage, progressing from basic to focused to comprehensive.”
CISA Review Manual, 26th Edition
According to CISA review manual, 26th edition, IS audit is the formal examination, interview and/or testing of information systems to determine whether:
– Information systems are in compliance with applicable laws, regulations, and/or industry guidelines.
– IS data and information have appropriate levels of confidentiality, integrity and availability.
– IS operations are being accomplished efficiently and effective targets are being met.
Audit as Independent Assessment
Assessments conducted by independent parties are called audits. First-party audits are conducted by the internal audit function or department. Second-party audits are conducted by external parties such as first-tier customers per the contractual requirements. Third-party audits are conducted by external parties like the big four accounting firms or ISO certification bodies.
Reference
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
以下哪項不是基於風險的審計(risk-based audit)中常用的評鑑方法?(Wentz QOTD)
A. 查驗 (Examining)
B. 訪談 (Interviewing)
C. 測試 (Testing)
D. 德爾菲法 (Delphi)
Hi Wentz,
I didn’t got the sentence “Second-party audits are conducted by external parties such as first-tier customers per the contractual requirements.” who are they?
Could you please explain bit?
First-tier customers may reserve their audit right in the contract to conduct audits to ensure their security requirements are enforced.