Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

ISC2 CISSP Exam - Topic 1 Question 113 Discussion

Actual exam question for ISC2's CISSP exam
Question #: 113
Topic #: 1
[All CISSP Questions]

Which of the following is considered the FIRST step when designing an internal security control assessment?

Show Suggested Answer Hide Answer
Suggested Answer: C

An internal security control assessment is a process of evaluating the effectiveness and compliance of the security controls implemented within an organization. The first step when designing an internal security control assessment is to create a plan based on a recognized framework of known controls, such as the NIST SP 800-53, ISO/IEC 27002, or COBIT. A framework of known controls provides a comprehensive and consistent set of security objectives, requirements, and best practices that can be used as a reference and a benchmark for the assessment. The other options are not considered the first step when designing an internal security control assessment, as they may not cover all the relevant aspects of security, may not be aligned with the organization's goals and risks, or may not be feasible or reliable.Reference:CISSP - Certified Information Systems Security Professional, Domain 1. Security and Risk Management, 1.4 Understand and apply risk management concepts, 1.4.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements, 1.4.5.1 Internal security assessments;CISSP Exam Outline, Domain 1. Security and Risk Management, 1.4 Understand and apply risk management concepts, 1.4.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements, 1.4.5.1 Internal security assessments


by Shawna at Mar 06, 2026, 01:22 PM

Limited Time Offer

25%

Off

Get Premium CISSP Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Ellen
3 hours ago
I feel like creating a plan based on known breaches could be a good starting point, but it might not cover everything we need to assess.
upvoted 0 times
...
Antonio
5 days ago
I'm not entirely sure, but I remember something about using recent vulnerability scans to inform the assessment. Maybe that's important too?
upvoted 0 times
...
Paola
10 days ago
I think the first step should be based on a recognized framework of known controls, like NIST or ISO. That seems foundational.
upvoted 0 times
...

Save Cancel