CISSP Exam QuestionsBrowse all questions from this exam
Go to Exam

CISSP Exam - Question 262

The Chief Executive Officer (CEO) wants to implement an internal audit of the company's information security posture. The CEO wants to avoid any bias in the audit process; therefore, has assigned the Sales Director to conduct the audit. After significant interaction over a period of weeks the audit concludes that the company's policies and procedures are sufficient, robust and well established. The CEO then moves on to engage an external penetration testing company in order to showcase the organization's robust information security stance. This exercise reveals significant failings in several critical security controls and shows that the incident response processes remain undocumented. What is the MOST likely reason for this disparity in the results of the audit and the external penetration test?

Show Answer
Correct Answer: A

The internal audit conducted by the Sales Director likely did not have the necessary technical expertise to thoroughly evaluate the information security posture. Properly assessing security controls and incident response processes requires specialized knowledge which the Sales Director probably lacked. This inadequacy could lead to an incomplete or inaccurate audit, failing to identify critical vulnerabilities that an experienced external penetration testing company would uncover.

Discussion

8 comments
Sign in to comment
JamatiOption: A
Nov 10, 2022

A salesman has no business running InfoSec audits.

jackdryan
May 13, 2023

A is correct

rajkamal0Option: A
Dec 28, 2022

A is the best answer.

RollizoOption: B
Oct 1, 2022

it could be really that the internal audit had a focus only in commercial matters

CuteRabbit168
Oct 10, 2022

It’s A. The Sales Director was assigned to conduct an information security audit.

629f731Option: B
Jan 11, 2024

While technical expertise is crucial for certain assessments, the core reason for the disparity, given the context, seems to be the difference in scope and objectives between the internal audit and the external penetration test, making option B (The scope of the penetration test exercise and the internal audit were significantly different) the MOST likely reason.

oudmasterOption: A
Dec 20, 2022

B is not true, because the scope is the same as PenTest; "Information Security Posture".

Proctored_ExpertOption: D
Dec 21, 2022

D. The information technology (IT) and governance teams have failed to disclose relevant information to the internal audit team leading to an incomplete assessment being formulated.

xxxBadManxxxOption: B
Mar 21, 2024

The internal audit, conducted by the Sales Director, likely focused on assessing policies and procedures rather than conducting technical assessments or testing of critical security controls. Conversely, the external penetration test would have involved comprehensive technical testing, including attempts to exploit vulnerabilities and weaknesses in the system. This difference in scope could lead to varying results, with the external penetration test uncovering weaknesses that were not identified by the internal audit

CCNPWILLOption: A
Jun 1, 2024

Answer is A ... Gimme question.