Effective CISSP Questions

The board of directors is discussing the organization of security function and its relation with the audit function. Which of the following is the most accepted practice? (Wentz QOTD)
A. The security function should comprise internal audits
B. The audit function should include the security function
C. The audit committee shall govern the security function
D. The security function may be managed by engineers or other staff

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. The security function may be managed by engineers or other staff.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Governance Structure
Governance Structure
Porter's Value Chain
Porter’s Value Chain

A function produces value by conducting activities that transform inputs into useful results. An organization typically comprises line functions and staff to support operations and deliver values.

The security function at the organization level can be conducted by employees at any rank, depending on the size, scale, security awareness of the organization in question. Large companies may establish a dedicated department headed by a CISO or manager to take care of information security, while small companies that have few resources may simply assign an IT engineer or any employee to handle information security affairs.

The audit function is typically directed by the audit committee under the board of directors. It’s an independent organizational unit that ensures compliance and provides assurance. The audit function doesn’t include or govern the security function to maintain its independence and objectivity.

The security function shall ensure the effectiveness of information security and comply with requirements such as laws, regulations, industrial standards, contracts, organizational policies, code of ethics, etc.; it is typically separated from the audit function.


董事會正在討論安全職能(security function)的組織及其與審計職能(audit function)的關係。 以下哪個是最被接受的做法? (Wentz QOTD)
A. 安全功能應包括內部審計(internal audits)
B. 審計功能應包含安全功能
C. 審計委員會應負責治理(govern)安全功能
D. 安全功能可由工程師或其他人員(staff)管理

1 thought on “CISSP PRACTICE QUESTIONS – 20210915

  1. Pingback: 安全功能(security function) – Choson資安大小事

Leave a Reply