SY0-701 · Question #358
SY0-701 Question #358: Real Exam Question with Answer & Explanation
The correct answer is C: Internal auditing. Internal auditing is the best fit because it is performed by the organization's own staff, can be conducted frequently and on-demand, and is specifically designed to evaluate systems, procedures, and controls against compliance objectives - giving the CISO direct, ongoing visibil
Question
A Chief Information Security Officer would like to conduct frequent, detailed reviews of systems and procedures to track compliance objectives. Which of the following will be the best method to achieve this objective?
Options
- AThird-party attestation
- BPenetration testing
- CInternal auditing
- DVulnerability scans
Explanation
Internal auditing is the best fit because it is performed by the organization's own staff, can be conducted frequently and on-demand, and is specifically designed to evaluate systems, procedures, and controls against compliance objectives - giving the CISO direct, ongoing visibility.
Why the distractors are wrong:
- A. Third-party attestation involves an external body vouching for compliance (e.g., SOC 2 reports) - it's periodic and expensive, not suited for frequent internal reviews.
- B. Penetration testing actively exploits vulnerabilities to assess security posture; it's a technical offensive exercise, not a compliance-tracking mechanism.
- D. Vulnerability scans identify technical weaknesses in systems but don't evaluate procedures, policies, or compliance controls - they're narrowly technical in scope.
Memory tip: Think "Internal = Inside control." Internal auditing is the only option that lives inside the organization, covers both systems and procedures, and can be scheduled as often as leadership requires - making it the natural tool for a CISO tracking ongoing compliance.
Topics
Community Discussion
No community discussion yet for this question.