Effective CISSP Questions

Assurance is the outcome of activities that decrease doubts and increase confidence. Which of the following provides the highest level of assurance? (Wentz QOTD)
A. Self-declaration
B. Attestation
C. Audit
D. Verification and Validation (V&V)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Audit.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Assurance, Attestation, and Audit
Assurance, Attestation, and Audit
Auditing, Attestation, and Assurance by Edspira

While there is no such thing as a SOC 2 certification, many still refer to a clean SOC 2 report as a certification. A SOC 2 is actually an attestation report. A CPA firm attests that controls are in place and either designed effectively (Type I SOC 2), or designed effectively and operated effectively over a period of time (Type II SOC 2). Management asserts that controls are in place to meet the SOC 2 criteria and a CPA firm provides an opinion on whether or not they agree with management’s assertion.

In many cases, the opinion is positive and the CPA firm agrees with management’s assertion. In some cases, the CPA firm does not agree with management’s assertion and provides a qualified or adverse opinion. See this past blog post on qualified opinions. Although a SOC 2 is technically an attestation report, it’s very common for people to call a SOC 2 a certification. See the AICPA page related to attestation reports for more information.

Source: Linford & Company LLP

Verification and Validation (V&V)

ISO 15288 - System Life Cycle Processes
ISO 15288 – System Life Cycle Processes

When it comes to engineering, Verification and Validation (V&V) are individual technical processes in ISO 15288. They can be treated as quality control activities. According to ISO 9000:2015, Quality management systems — Fundamentals and vocabulary:

  • Quality Control (QC) – part of quality management focused on fulfilling quality requirements
  • Quality Assurance (QA) – part of quality management focused on providing confidence that quality requirements will be fulfilled
  • Quality Management (QM) – management with regard to quality
  • Quality – degree to which a set of inherent characteristics of an object fulfils requirements
  • Requirement – need or expectation that is stated, generally implied or obligatory
  • Objective – result to be achieved [Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as a quality objective (3.7.2) or by the use of other words with similar meaning (e.g. aim, goal, or target).]
  • Performance – measurable result


保證(assurance)是減少懷疑和增加信心的活動的結果。 以下哪一項提供了最高級別的保證? (Wentz QOTD)
A. 自我聲明 (Self-declaration)
B. 證明 (Attestation)
C. 審計 (Audit)
D. 驗證和確認 (V&V)

Leave a Reply