Effective CISSP Questions

As an auditor, you are conducting an independent information security assessment. Which of the following is the artifact you should review first to assess the effectiveness of controls? (Wentz QOTD)
A. Business case
B. Security controls design
C. Information security policy
D. Statement of applicability of controls

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Information security policy.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Policy Framework
Policy Framework

All organizational activities are driven by policies, the management intent. The board of directors (and sometimes senior management) governs (evaluates, directs, and measures) an organization through policies.

The statement of applicability (SoA) defines the scope of controls in an information security management system (ISMS). A security controls design, which must be justified by the business case, is the solution that meets the requirements of the SoA.

The Statement of Applicability (SoA) forms a fundamental part of your information security management system (ISMS). The SoA is one of the most important documents you’ll need to develop for ISO 27001:2013 certification. Put simply, in its quest to protect valuable information assets and manage the information processing facilities, the SoA states what ISO 27001 controls and policies are being applied by the organisation. It benchmarks against the Annex A control set in the ISO 27001 standard (described at the back of that ISO standards document as reference control objectives and controls). The statement of applicability is found in 6.1.3 of the main requirements for ISO 27001, which is part of the broader 6.1, focused on actions to address risks and opportunities. The SoA is therefore an integral part of the mandatory ISO 27001 documentation that needs to be presented to an external auditor when the ISMS is undergoing an independent audit e.g. by a UKAS audit certification body.

Source: ISMS Online

The following diagram is an example of BCMS that demonstrate the overall picture:

Business Continuity Policy
Business Continuity Policy


作為審核員,您正在進行獨立的信息安全評鑑。 為評鑑控制的有效性,以下哪個是您應該要最先審查(review)的工件? (Wentz QOTD)
A. 商業案例 (business case)
B. 安全控制設計
C. 信息安全政策
D. 控制適用性聲明 (SoA)

Leave a Reply