CISSP Question #839: Real Exam Question with Answer & Explanation

Question

Which of the following BEST describes the purpose of performing security certification?

Options

• ATo identify system threats, vulnerabilities, and acceptable level of risk
• BTo formalize the confirmation of compliance to security policies and standards
• CTo formalize the confirmation of completed risk mitigation and risk analysis
• DTo verify that system architecture and interconnections with other systems are effectively

Explanation

Security Certification Explained

Why B is Correct: Security certification is the formal process of evaluating a system against established security policies, standards, and requirements to confirm it meets compliance obligations. It produces documented evidence that a system adheres to the required security controls, essentially serving as an official "stamp of approval" before authorization is granted.

Why the Others Are Wrong:

• A describes a risk assessment or threat modeling activity, which is a separate process that feeds into certification rather than defining it
• C is partially related but misleading - certification does not confirm that risk mitigation is completed, as some residual risk always remains; it confirms compliance, not elimination of risk
• D describes security architecture review or connectivity/interface analysis, which is a technical verification activity distinct from the formal compliance confirmation that certification represents

Memory Tip: Think of certification like a diploma - it formally confirms you met all the required standards of a program. Just as a diploma doesn't mean you know everything (risk still exists), it confirms you met the defined requirements. When you see "certification," think "formal confirmation of compliance."

No community discussion yet for this question.