• Internal and external audit results: Audit reports are generally seen as an in-depth view of the effectiveness of internal controls in the organization.
Gregory, Peter H.; Gregory, Peter H.. CISM Certified Information Security Manager Bundle (p. 132). McGraw Hill LLC. Kindle Edition.
Definitely C. Organizations must understand the risks they face and the controls they can implement to manage those risks. They must also conduct regular risk control assessments and self- assessments to determine whether those controls continue to operate effectively.
Answer is C: Risk and control self-assessments are proactive assessments where control owners evaluate the design and performance of controls, identify weaknesses or improvements and provide ongoing, operational insight. It's a solid way to demonstrate that controls are not only in place, but working.
Regarding answer A: Audits are usually point-in-time and often focus on compliance, but not on whether controls are actively effective.
All of the options mentioned can provide valuable insights into the effectiveness of security controls, but the best demonstration would be an audit report.
An audit report is a formal assessment conducted by an independent party that evaluates the adequacy and effectiveness of security controls. It provides an unbiased and objective view of the organization's security posture and can identify any vulnerabilities or weaknesses in the controls. In contrast, the other options mentioned - tabletop simulations, risk and control self-assessments, and business impact analysis (BIA) results - can help identify potential areas of improvement but may not provide the same level of assurance as an audit report.
Audit report. While tabletop simulations (option B), risk and control self-assessment (option C), and business impact analysis (BIA) results (option D) are valuable activities and assessments, they may not provide the same level of objective and independent verification of control effectiveness as an audit report. Audit reports are typically conducted by external or internal auditors with expertise in evaluating security controls, making them a strong indicator of control effectiveness.
A. Audit report
An audit report is typically the best demonstration that security controls are effective. It provides an independent assessment of an organization's security controls by an external auditor or an internal audit team. Audit reports include findings, recommendations, and conclusions about the effectiveness of security controls based on a comprehensive evaluation of the organization's policies, procedures, and practices. This assessment is generally considered to be an authoritative and objective measure of security control effectiveness.
Nope, these are for risk monitoring and reporting, the question is about effectiveness of security controls.
upvoted 1 times
...
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
CarlPTY07
Highly Voted 2 years, 2 months agogiovi
Highly Voted 2 years, 2 months agoSHERLOCKAWS
Most Recent 1 month, 2 weeks agoBooict
8 months, 2 weeks agokoala_lay
1 year, 7 months agoCert_IT
1 year, 8 months agooluchecpoint
1 year, 8 months agorichck102
1 year, 10 months agomeelaan
2 years, 1 month agoBroesweelies
2 years, 3 months agoD2D2
2 years, 5 months agoZiggybooboo
2 years, 4 months agoAlexJacobson
1 year, 3 months ago