CISSP PRACTICE QUESTIONS – 20211104

Effective CISSP Questions

Your organization is a cloud service provider and intends to assure security to customers. which of the following entities conduct security assessments based on public security standards and provide the highest level of assurance? (Wentz QOTD)
A. The audit function within an organization
B. Certification Bodies (CB) accredited by an International Accreditation Forum (IAF) member or Accreditation Body (AB)
C. Certified Public Accountants (CPA) designated by the American Institute of Certified Public Accountants (AICPA)
D. Big or first-class customers

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Certification Bodies (CB) accredited by an International Accreditation Forum (IAF) member or Accreditation Body (AB).

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Assurance, Attestation, and Audit
Assurance, Attestation, and Audit

The audit function within an organization and big or first-class customers may conduct audits based on proprietary or public standards and provide assurance to limited audiences.

ISO Standards

ISO standards are developed by the International Organization for Standardization (ISO), founded on 23 February 1947 and headquartered in Geneva, Switzerland. They are public standards recognized worldwide, which typically define specific control objectives and controls. For example, certification bodies of ISO 27001 (e.g., SGS, BSI, and TUV) are auditors that conduct audits per the standard ISO 17021 to certify if the auditee is compliant with the requirements specified in the standard ISO 27001.

CB, AB, and International Accreditation Forum (IAF)
CB, AB, and International Accreditation Forum (IAF)
ISO 27000 Series of Standards
ISO 27000 Series of Standards

SOC for Service Organizations

Service Organization Control (SOC)
Service Organization Control (SOC)

Unlike ISO standards providing mandatory requirements, control objectives, and controls, SOC engagements entail service organizations describing their systems, setting control objectives, and designing controls to meet them.

Certified Public Accountants (CPA) designated by the American Institute of Certified Public Accountants (AICPA) can conduct SOC examinations per the AICPA Guide and attest 1) the fairness of the presentation of management’s description of the service organization’s system and 2) the suitability of the design and operating effectiveness of the controls (to achieve the related control objectives included in the description).

SOC for Service Organizations reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA. Each type of SOC for Service Organizations report is designed to help service organizations meet specific user needs:

SOC 1®– SOC for Service Organization: ICFR

Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.

There are two types of reports for these engagements:

* Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
* Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Use of these reports is restricted to the management of the service organization, user entities, and user auditors.

SOC 2® – SOC for Service Organizations: Trust Services Criteria

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:

* Oversight of the organization
* Vendor management programs
* Internal corporate governance and risk management processes
* Regulatory oversight

Similar to a SOC 1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.

Source: AICPA

Reference


您的組織是一家雲服務提供商,並打算確保客戶的安全。 以下哪些實體根據公開安全標準進行安全評鑑並提供最高級別的保證? (Wentz QOTD)
A. 組織內的審計職能
B. 國際認可論壇 (IAF) 成員或認可機構 (AB) 認可的認證機構 (CB)
C. 美國註冊會計師協會(AICPA)指定的註冊會計師(CPA)
D. 大客戶或一線客戶



Leave a Reply