nerdexam
(ISC)2

CISSP · Question #700

What is the PRIMARY purpose of auditing, as it relates to the security review cycle?

The correct answer is A. To ensure the organization's controls and pokies are working as intended. Auditing in the security review cycle primarily validates that an organization's security controls and policies are functioning as designed and intended.

Submitted by omar99· Mar 5, 2026Security Assessment and Testing

Question

What is the PRIMARY purpose of auditing, as it relates to the security review cycle?

Options

  • ATo ensure the organization's controls and pokies are working as intended
  • BTo ensure the organization can still be publicly traded
  • CTo ensure the organization's executive team won't be sued
  • DTo ensure the organization meets contractual requirements

How the community answered

(34 responses)
  • A
    91% (31)
  • C
    3% (1)
  • D
    6% (2)

Why each option

Auditing in the security review cycle primarily validates that an organization's security controls and policies are functioning as designed and intended.

ATo ensure the organization's controls and pokies are working as intendedCorrect

The primary purpose of auditing within a security review cycle is to objectively assess whether the organization's controls and policies are operating effectively and achieving their intended outcomes. Audits provide evidence-based assurance that security mechanisms are functioning correctly, identify gaps or failures, and drive continuous improvement in the security posture.

BTo ensure the organization can still be publicly traded

While public companies may be subject to audits for regulatory compliance (e.g., SOX), maintaining stock exchange listing eligibility is a secondary business outcome, not the primary security purpose of auditing.

CTo ensure the organization's executive team won't be sued

Protecting executives from litigation is a potential ancillary benefit of good governance, but it is not the primary security-focused objective of the audit process within a security review cycle.

DTo ensure the organization meets contractual requirements

Meeting contractual requirements (e.g., SLAs or third-party agreements) may be one driver for conducting an audit, but it is a specific use case rather than the overarching primary purpose of auditing in the security review cycle.

Concept tested: Purpose of security auditing in review cycles

Source: https://www.nist.gov/system/files/documents/2017/03/08/audit-and-accountability-discussion-march-2017.pdf

Topics

#security auditing#control effectiveness#compliance monitoring

Community Discussion

No community discussion yet for this question.

Full CISSP Practice