nerdexam
(ISC)2

CISSP · Question #578

Which of the following would an internal technical security audit BEST validate?

The correct answer is D. Implementation of changes to a system. An internal technical security audit focuses on verifying that technical controls and configurations have been properly implemented within systems. It is best suited for validating hands-on, system-level changes rather than organizational or managerial oversight.

Submitted by viktor_hu· Mar 5, 2026Security Assessment and Testing

Question

Which of the following would an internal technical security audit BEST validate?

Options

  • AWhether managerial controls are in place
  • BSupport for security programs by executive management
  • CAppropriate third-party system hardening
  • DImplementation of changes to a system

How the community answered

(25 responses)
  • A
    4% (1)
  • B
    4% (1)
  • C
    4% (1)
  • D
    88% (22)

Why each option

An internal technical security audit focuses on verifying that technical controls and configurations have been properly implemented within systems. It is best suited for validating hands-on, system-level changes rather than organizational or managerial oversight.

AWhether managerial controls are in place

Validating whether managerial controls are in place is the function of a management or compliance audit, not a technical security audit, since managerial controls involve policies, procedures, and organizational accountability rather than system-level configurations.

BSupport for security programs by executive management

Executive management support for security programs is an organizational and governance concern assessed through interviews, policy reviews, or program audits-not through a technical security audit that examines system-level implementations.

CAppropriate third-party system hardening

Third-party system hardening would be evaluated through a vendor assessment, supply chain audit, or third-party risk management review, not an internal technical audit which focuses on internally managed systems and controls.

DImplementation of changes to a systemCorrect

An internal technical security audit directly examines system configurations, logs, and change records to confirm that specific technical changes-such as patches, access control updates, or configuration hardening-have been correctly implemented. This type of audit involves reviewing technical artifacts like system states and audit trails, making it the most appropriate mechanism for validating implementation of system changes. Technical audits are designed precisely to verify that documented changes match the actual state of systems.

Concept tested: Purpose and scope of internal technical security audits

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#Technical security audit#System changes#Configuration management#Security assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice