nerdexam
ExamsCISSPQuestions#1023
(ISC)2(ISC)2

CISSP · Question #1023

CISSP Question #1023: Real Exam Question with Answer & Explanation

The correct answer is C: Inform the CISO that they are unable to perform the task because they should render only those. Explanation Option C is correct because the (ISC)² Code of Professional Ethics explicitly requires CISSPs to "render only those services for which they are fully competent and qualified." Since this CISSP has never performed a vulnerability assessment, they must disclose their la

Submitted by valeria.br· Mar 5, 2026Security and Risk Management

Question

A Certified Information Systems Security Professional (CISSP) with identity and access management (IAM) responsibilities is asked by the Chief Information Security Officer (CISO) to4 perform a vulnerability assessment on a web application to pass a Payment Card Industry (PCI) audit. The CISSP has never performed this before. According to the (ISC)? Code of Professional Ethics, which of the following should the CISSP do?

Options

  • AReview the CISSP guidelines for performing a vulnerability assessment before proceeding to
  • BReview the PCI requirements before performing the vulnerability assessment
  • CInform the CISO that they are unable to perform the task because they should render only those
  • DSince they are CISSP certified, they have enough knowledge to assist with the request, but will

Explanation

Explanation

Option C is correct because the (ISC)² Code of Professional Ethics explicitly requires CISSPs to "render only those services for which they are fully competent and qualified." Since this CISSP has never performed a vulnerability assessment, they must disclose their lack of competence to the CISO rather than attempt a task outside their expertise-particularly in a high-stakes PCI audit context where errors could have serious consequences.

Why the distractors are wrong:

  • Option A is incorrect because simply reviewing guidelines before proceeding does not make someone competent enough to perform the task-preparation alone doesn't substitute for actual qualification.
  • Option B is incorrect for the same reason; reviewing PCI requirements addresses regulatory knowledge but does not address the CISSP's lack of hands-on vulnerability assessment competence.
  • Option D is incorrect because holding a CISSP certification does not automatically confer competence in every security domain-the certification is broad, and IAM is this individual's specialty, not vulnerability assessments.

Memory Tip: Think of the (ISC)² ethics canon using the phrase "Know your limits, say it out loud." If you're not qualified, the ethical obligation is to communicate that limitation upward, not to improvise-just as a doctor wouldn't perform surgery outside their specialty without disclosure.

Topics

#(ISC)² Code of Ethics#Professional Competence#Ethical Decision Making#Professional Responsibility

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CISSP PracticeBrowse All CISSP Questions