CISSP · Question #642
What is the PRIMARY purpose for an organization to conduct a security audit?
The correct answer is B. To ensure the organization is applying security controls to mitigate identified risks. A security audit's primary purpose is to evaluate whether appropriate security controls are in place and effectively mitigating identified risks within the organization.
Question
Options
- ATo ensure the organization is adhering to a well-defined standard
- BTo ensure the organization is applying security controls to mitigate identified risks
- CTo ensure the organization is configuring information systems efficiently
- DTo ensure the organization is documenting findings
How the community answered
(35 responses)- A3% (1)
- B83% (29)
- C6% (2)
- D9% (3)
Why each option
A security audit's primary purpose is to evaluate whether appropriate security controls are in place and effectively mitigating identified risks within the organization.
Adhering to a defined standard describes a compliance assessment or regulatory audit, which is a subset of security activities, not the primary purpose of a security audit broadly defined.
The primary purpose of a security audit is to verify that security controls are properly implemented and functioning to mitigate identified risks. Audits assess the effectiveness of technical, administrative, and physical controls against known threats and vulnerabilities, ensuring the organization's risk posture is being actively managed and reduced.
Configuring information systems efficiently is an operational or IT management objective, not a security audit goal, as audits evaluate security posture rather than system performance or configuration efficiency.
Documenting findings is a byproduct and deliverable of the audit process, but it is not the primary purpose - documentation serves to communicate the results of the audit, not define its goal.
Concept tested: Purpose and scope of security audits
Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Topics
Community Discussion
No community discussion yet for this question.