Exam CISSP topic 1 question 364 discussion

Is the auditor using COBIT, ISO 27001, or ISO 27002? The MOST important thing is what governance and compliance standards they're testing against, not whether they're biased or neutral. Every human being has a built-in bias.

While having an industry framework (such as ISO 27001, NIST, or CIS Controls) to audit against is very important, it is not a prerequisite for performing a security audit. Audits can be conducted based on internal policies, procedures, or other criteria, even if a formal industry framework is not being used. Neutrality of the auditor is crucial for ensuring that the audit is impartial, objective, and free from bias. The auditor must be independent of the entity or the specific operations being audited to provide an honest assessment of the security posture. This neutrality ensures that the findings and recommendations are based on actual evidence rather than being influenced by internal pressures or conflicts of interest.

Terrible question, it should say "MUST" exist. Any of the 4 could be right depending on the situation. If you're doing self-assessment for the SPRS system, for example, the assessor doesn't have to be 3rd party or neutral, they just have to be truthful.

A. Neutrality of the auditor Definition of security audit from the ISC2 study guide mentions bias: security audits Evaluations performed with the purpose of demonstrating the effectiveness of controls to a third party. Security audits use many of the same techniques followed during security assessments but must be performed by independent auditors. The staff members who design, implement, and monitor controls for an organization have an inherent conflict of interest when evaluating the effectiveness of those controls.

What should exist to PERFORM the audit? B, A framework to audit against What is important to prevent bias in the audit RESULT? A, Neutral auditor Is asking what should exist to begin the audit not considering what would be the results.

C. In many cases, an external (third-party) auditor is preferred because they typically have fewer biases or conflicts of interest compared to an internal auditor. Auditor independence ensures that the evaluation is objective and free of internal influences that could affect the impartiality of the audit results. Therefore, the impartiality of the auditor is arguably more crucial, and the choice of an external auditor often contributes to that impartiality.

I'm sticking with A for two reasons: 1 - There are three types of audit strategies – Internal, External, and Third-party. Internal audits should be closely aligned to the organization, the external strategy needs to ensure procedures/compliance are being followed with regular checks and complement the internal strategy. The third-party strategy is an objective, neutral approach that reviews the overall strategy for auditing the organization’s environment, methods of testing, and can also ensure that both internal and external audits are following defined policies and procedures.- https://resources.infosecinstitute.com/certifications/cissp/cissp-domain-6-refresh-security-assessment-and-testing/ 2. Audits only have to be aligned to an industry framework for certification. Audits can be performed for other reasons with a varied scope tailored to the specific organization.

A and B are important aspects of performing a security audit, but A is the better answer choice because it directly addresses the impartiality and objectivity of the auditor, which is a fundamental principle of auditing. A. Neutrality of the auditor: Neutrality refers to the auditor's impartiality and lack of bias in conducting the audit. It ensures that the auditor's judgment and findings are not influenced by personal or financial interests. Neutrality is a core principle of auditing to maintain the credibility and integrity of the audit process.

"Neutrality of the auditor" is something qualitative and cannot be trusted. What we care is the result of the audit, and it has to be based on standards.

After assessing all the information posted here, I am going with B.

Selected answer is correct - Points in the question " Should Exist, " "Security Audit ". We can't measure the neutrality of an auditor regardless if he is internal or external . Security audi must conduct against a framework such as ISO27001 etc.. Otherwise how we can do an audit properly?

Regardless of how neutral the auditor is, you won't have reliable results unless you have an defined industry framework to audit against. Given answer is correct.

Answer is correct " A conceptual security framework to manage and audit Information System Security is proposed and discussed. The proposed framework intends to assist organizations firstly to understand what they precisely need to protect assets and what are their weaknesses (vulnerabilities), enabling to perform an adequate security management. Secondly, enabling a security audit framework to support the organization to assess the efficiency of the controls and policy adopted to prevent or mitigate attacks, threats and vulnerabilities, promoted by the advances of new technologies and new Internet-enabled services, that the organizations are subject o" https://www.examtopics.com/exams/isc/cissp/view/37/

Auditors must be neutral (free from bias). Internal audits may not require adherence to Industry frameworks

B is fine.

Audit always has framework, assessment not. It cannot be A.

In my opinion, you can do an internal audit not followed by any framework. Just to check how things are working in your business. But the general principle is the neutrality of the auditor.