nerdexam
ExamsCISSPQuestions#1347
(ISC)2(ISC)2

CISSP · Question #1347

CISSP Question #1347: Real Exam Question with Answer & Explanation

The correct answer is D: The audit team lacked the technical experience and training to make insightful and objective. The most likely reason for the disparity in the results of the audit and the external penetration test is that the audit team lacked the technical experience and training to make insightful and objective assessments of the data provided to them. The Sales Director, who conducted

Submitted by priya_blr· Mar 5, 2026Security Assessment and Testing

Question

The Chief Executive Officer (CEO) wants to implement an internal audit of the company's information security posture. The CEO wants to avoid any bias in the audit process; therefore, has assigned the Sales Director to conduct the audit. After significant interaction over a period of weeks the audit concludes that the company's policies and procedures are sufficient, robust and well established. The CEO then moves on to engage an external penetration testing company in order to showcase the organization's robust information security stance. This exercise reveals significant failings in several critical security controls and shows that the incident response processes remain undocumented. What is the MOST likely reason for this disparity in the results of the audit and the external penetration test?

Options

  • AThe external penetration testing company used custom zero-day attacks that could not have been
  • BThe information technology (IT) and governance teams have failed to disclose relevant
  • CThe scope of the penetration test exercise and the internal audit were significantly different.
  • DThe audit team lacked the technical experience and training to make insightful and objective

Explanation

The most likely reason for the disparity in the results of the audit and the external penetration test is that the audit team lacked the technical experience and training to make insightful and objective assessments of the data provided to them. The Sales Director, who conducted the audit, may not have the necessary skills, knowledge, or tools to identify and evaluate the security issues and gaps in the company's information security posture. The audit team may have relied on the information provided by the IT and governance teams, without verifying or testing its accuracy or completeness. The audit team may have also been influenced by the bias or pressure from the CEO or other stakeholders, who wanted to show a positive image of the company's security.

Topics

#Internal audit#auditor independence#auditor competence#security assessment

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CISSP PracticeBrowse All CISSP Questions