CISSP Question #816: Real Exam Question with Answer & Explanation

Question

The MAIN reason an organization conducts a security authorization process is to

Options

• Aforce the organization to make conscious risk decisions.
• Bassure the effectiveness of security controls.
• Cassure the correct security organization exists.
• Dforce the organization to enlist management support.

Explanation

Security Authorization Process Explained

Security authorization (also called "Authority to Operate" or ATO) exists primarily to ensure that organizational leadership consciously accepts responsibility for the risks associated with operating an information system. Rather than allowing systems to run without formal acknowledgment of their risk posture, the authorization process forces decision-makers to explicitly approve operations despite known vulnerabilities or residual risks - making risk acceptance a deliberate, documented act.

Why the distractors are wrong:

• B is incorrect because while security controls are assessed during authorization, assuring their effectiveness is a byproduct of the process (control assessment), not its main purpose.
• C is incorrect because the authorization process focuses on system risk decisions, not on validating organizational structure or security team composition.
• D is incorrect because management support is a prerequisite or desired outcome of good security governance - not the driving reason authorization exists.

💡 Memory Tip: Think of authorization as a formal "sign here, you understand the risk" moment - like signing a waiver. The point is conscious, documented risk acceptance by leadership, not just checking boxes. If you remember "authorization = accountable risk decision," option A will always stand out.

No community discussion yet for this question.