(ISC)2(ISC)2
CISSP · Question #1510
CISSP Question #1510: Real Exam Question with Answer & Explanation
The correct answer is A: Industry framework to audit against. A security audit requires a defined framework or standard to measure against, providing the criteria and benchmarks that determine compliance or deficiencies.
Submitted by tom_us· Mar 5, 2026Security Assessment and Testing
Question
Which of the following should exist in order to perform a security audit?
Options
- AIndustry framework to audit against
- BExternal (third-party) auditor
- CInternal certified auditor
- DNeutrality of the auditor
Explanation
A security audit requires a defined framework or standard to measure against, providing the criteria and benchmarks that determine compliance or deficiencies.
Common mistakes.
- B. While external auditors can add objectivity, they are not a strict requirement - many valid security audits are conducted internally, making a third-party auditor optional rather than mandatory.
- C. An internal certified auditor is one valid option for conducting an audit, but certification and internal status are not universally required prerequisites; what matters is having a standard to audit against, not who performs the audit.
- D. Auditor neutrality is a best practice that improves audit quality and credibility, but it is not a foundational requirement that must exist before an audit can be performed - an audit can still occur without guaranteed neutrality.
Concept tested. Prerequisites and requirements for conducting security audits
Reference. https://www.nist.gov/cyberframework
Topics
#security audit#audit framework#compliance
Community Discussion
No community discussion yet for this question.