CISSP Question #1438: Real Exam Question with Answer & Explanation

The correct answer is B: Auditing and assessment. Determining the success of a patch management process requires auditing and assessment to verify that patches were applied correctly, completely, and within compliance requirements.

Submitted by andres_qro· Mar 5, 2026Security Operations

Question

Which of the following is the BEST way to determine the success of a patch management process?

Options

AAnalysis and impact assessment
BAuditing and assessment
CConfiguration management (CM)
DChange management

Explanation

Determining the success of a patch management process requires auditing and assessment to verify that patches were applied correctly, completely, and within compliance requirements.

Common mistakes.

A. Analysis and impact assessment is a pre-patch activity used to evaluate the potential effects of applying a patch before deployment, not a post-process measurement of success.
C. Configuration management tracks and controls the state of IT assets and their configurations but does not specifically measure whether the patch management process achieved its goals.
D. Change management is the process used to control and approve changes (including patches) before they are made, but it does not evaluate the outcome or success of the patching process after the fact.

Concept tested. Evaluating patch management process effectiveness through auditing

Reference. https://www.nist.gov/publications/guide-enterprise-patch-management-planning-preventive-maintenance-technology

Topics

#patch management#security auditing#process assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice Browse All CISSP Questions