Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

ISC2 CISSP Exam - Topic 1 Question 113 Discussion

Actual exam question for ISC2's CISSP exam
Question #: 113
Topic #: 1
[All CISSP Questions]

Which of the following is considered the FIRST step when designing an internal security control assessment?

Show Suggested Answer Hide Answer
Suggested Answer: C

An internal security control assessment is a process of evaluating the effectiveness and compliance of the security controls implemented within an organization. The first step when designing an internal security control assessment is to create a plan based on a recognized framework of known controls, such as the NIST SP 800-53, ISO/IEC 27002, or COBIT. A framework of known controls provides a comprehensive and consistent set of security objectives, requirements, and best practices that can be used as a reference and a benchmark for the assessment. The other options are not considered the first step when designing an internal security control assessment, as they may not cover all the relevant aspects of security, may not be aligned with the organization's goals and risks, or may not be feasible or reliable.Reference:CISSP - Certified Information Systems Security Professional, Domain 1. Security and Risk Management, 1.4 Understand and apply risk management concepts, 1.4.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements, 1.4.5.1 Internal security assessments;CISSP Exam Outline, Domain 1. Security and Risk Management, 1.4 Understand and apply risk management concepts, 1.4.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements, 1.4.5.1 Internal security assessments


by Shawna at Mar 06, 2026, 01:22 PM

Limited Time Offer

25%

Off

Get Premium CISSP Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Novella
15 days ago
A is a solid choice too, but it feels a bit reactive.
upvoted 0 times
...
Hildred
20 days ago
I disagree, B makes more sense since we learn from past breaches.
upvoted 0 times
...
Toi
25 days ago
I think it's definitely C, frameworks are key!
upvoted 0 times
...
Melinda
1 month ago
I disagree, C is the standard approach in most cases.
upvoted 0 times
...
Marica
1 month ago
Surprised that B is even an option, breaches are so varied!
upvoted 0 times
...
Rose
1 month ago
I’m leaning towards D, you need to know your infrastructure first.
upvoted 0 times
...
Yvette
2 months ago
A seems more practical to me, recent scans are crucial.
upvoted 0 times
...
Minna
2 months ago
I think it’s definitely C, frameworks are key!
upvoted 0 times
...
Anabel
2 months ago
I practiced a question similar to this, and I think reconnaissance of the organization's infrastructure is crucial, but it might not be the very first step.
upvoted 0 times
...
Ellen
2 months ago
I feel like creating a plan based on known breaches could be a good starting point, but it might not cover everything we need to assess.
upvoted 0 times
...
Antonio
2 months ago
I'm not entirely sure, but I remember something about using recent vulnerability scans to inform the assessment. Maybe that's important too?
upvoted 0 times
...
Paola
2 months ago
I think the first step should be based on a recognized framework of known controls, like NIST or ISO. That seems foundational.
upvoted 0 times
...

Save Cancel