Which of the following BEST enables an information security manager to determine the comprehensiveness of an organization’s information security strategy?
In simple words organization’s information security strategy is something that's tailored based on where the org wants to be (a.k.a risk apetite) audits results are based on complaince.
Correct answer is A: Internal security audit. Because it allows the security manager to systematically evaluate whether the strategy is holistic, risk-aligned, and effectively implemented.
C. External security audit
An external security audit involves an independent examination of an organization's information security policies, processes, and controls by an external entity. This audit assesses the organization's adherence to established standards and best practices, helping to determine the comprehensiveness of the information security strategy. External audits provide an objective perspective and can identify areas for improvement, potential vulnerabilities, and gaps in the security strategy that may not be apparent in internal assessments. While internal security audits (Option A) and other assessments are valuable, an external audit adds an extra layer of validation and objectivity to the evaluation process.
Straight from multiple professional pentesters mouth. A company will almost always pass an internal audit either that be them knowing they are lying or on accident. For the most compressive dive into a businesses security a 3rd party audit needs to be performed.
They really shouldn't have put two audit answers, it really could be either one of them.
CISM's view on audits, as given in CISM Review Manual 27th Edition, is on page 47:
"Audits provide the ultimate assurance of compliance because they are independent and are based on recognized standards. Audits cover the entire IS management process from risk identification and control design to control operation and monitoring."
On page 121, it mentions:
"Internal audits: The goal of internal audits is to provide assurance to management that controls are working as designed and are effective in managing the organization's risks."
And on page 46, it states:
"External audits: External audits provide an independent, objective assessment of the effectiveness of controls in managing an organization's information security risks."
There really is no clear answer, based on the material alone. and although external seems to provide the most sense if the question were objectivity, I think internal often provides more in depth.
Seeing as the question is asking for BEST method to get 'comprehensiveness'. I would go with an 3rd party independent audit of the InfoSec program. Which in this case is Option C.
Organization risk appetite can give a good understanding of the program but complete details I don't think so.
comprehensive understanding is provided by external audit.
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
d3fa4d2
Highly Voted 5 months, 2 weeks agoSHERLOCKAWS
Most Recent 1 week, 4 days agosm24
7 months, 3 weeks agoTamerBeSafe
8 months, 2 weeks agoPOWNED
8 months, 3 weeks agoUncle_Lucifer
10 months agooluchecpoint
1 year, 1 month ago[Removed]
1 year, 2 months agorichck102
1 year, 3 months agokaranvp
1 year, 3 months agoJae_kes
1 year, 3 months agoDravidian
1 year, 5 months agoBroesweelies
1 year, 8 months agoMyKasala
1 year, 8 months agoaokisan
1 year, 9 months ago