CISM · Question #314
CISM Question #314: Real Exam Question with Answer & Explanation
The correct answer is D: Independent testing. The effectiveness of a security control is best validated through independent testing, where testers have no conflict of interest and no stake in the outcome. Independence eliminates the bias that can affect internal reviews and self-assessments. Option A (internal audit) provide
Question
Which of the following provides the BEST assurance of a security control's effectiveness?
Options
- AInternal audit results
- BRisk assessment
- CSelf-assessment
- DIndependent testing
Explanation
The effectiveness of a security control is best validated through independent testing, where testers have no conflict of interest and no stake in the outcome. Independence eliminates the bias that can affect internal reviews and self-assessments. Option A (internal audit) provides value but can be influenced by organizational culture or politics. Option B (risk assessment) identifies what risks exist but does not directly test whether controls are working as intended. Option C (self-assessment) is the weakest form of assurance because the people being assessed are evaluating themselves. Independent testing - such as third-party penetration testing or external audits - provides the most objective, credible evidence that controls are operating effectively.
Topics
Community Discussion
No community discussion yet for this question.