nerdexam
(ISC)2

CISSP · Question #642

What is the PRIMARY purpose for an organization to conduct a security audit?

The correct answer is B. To ensure the organization is applying security controls to mitigate identified risks. A security audit's primary purpose is to evaluate whether appropriate security controls are in place and effectively mitigating identified risks within the organization.

Submitted by lukas.cz· Mar 5, 2026Security Assessment and Testing

Question

What is the PRIMARY purpose for an organization to conduct a security audit?

Options

  • ATo ensure the organization is adhering to a well-defined standard
  • BTo ensure the organization is applying security controls to mitigate identified risks
  • CTo ensure the organization is configuring information systems efficiently
  • DTo ensure the organization is documenting findings

How the community answered

(35 responses)
  • A
    3% (1)
  • B
    83% (29)
  • C
    6% (2)
  • D
    9% (3)

Why each option

A security audit's primary purpose is to evaluate whether appropriate security controls are in place and effectively mitigating identified risks within the organization.

ATo ensure the organization is adhering to a well-defined standard

Adhering to a defined standard describes a compliance assessment or regulatory audit, which is a subset of security activities, not the primary purpose of a security audit broadly defined.

BTo ensure the organization is applying security controls to mitigate identified risksCorrect

The primary purpose of a security audit is to verify that security controls are properly implemented and functioning to mitigate identified risks. Audits assess the effectiveness of technical, administrative, and physical controls against known threats and vulnerabilities, ensuring the organization's risk posture is being actively managed and reduced.

CTo ensure the organization is configuring information systems efficiently

Configuring information systems efficiently is an operational or IT management objective, not a security audit goal, as audits evaluate security posture rather than system performance or configuration efficiency.

DTo ensure the organization is documenting findings

Documenting findings is a byproduct and deliverable of the audit process, but it is not the primary purpose - documentation serves to communicate the results of the audit, not define its goal.

Concept tested: Purpose and scope of security audits

Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Topics

#security audit#risk mitigation#security controls

Community Discussion

No community discussion yet for this question.

Full CISSP Practice