search
githubEdit

The information security compliance audit — Quiz

hashtag
The information security compliance audit

1. What is the primary purpose of a cybersecurity compliance audit within the GRC framework? (Choose one answer) a) To identify new and emerging security vulnerabilities before attackers can exploit them b) To independently validate that implemented controls are effective and meet defined criteria c) To develop organizational policies and set the risk appetite for leadership d) To directly implement technical security controls based on risk assessment results

2. Which of the following is NOT a typical driver for initiating a compliance audit? (Choose one answer) a) A contractual requirement from a major customer for a SOC 2 report b) The internal audit department's annual review schedule mandated by corporate policy c) The IT security team's decision to run a monthly vulnerability scan d) The legal obligation to demonstrate adherence to the HIPAA Security Rule

3. During which phase of the audit process does the auditor perform activities such as interviewing control owners and reviewing system configurations? (Choose one answer) a) Planning & Scoping b) Evidence Collection c) Testing & Evaluation d) Reporting & Documentation

4. A completed audit report identifies that a required quarterly access review was skipped. What is the critical next step for the audited organization to close the compliance loop? (Choose one answer) a) Immediately fire the responsible control owner b) Develop and execute a Corrective Action Plan (CAP) with root cause analysis c) Re-scope the audit to exclude access management controls in the future d) Challenge the auditor's findings and request a new audit team

5. How does the compliance audit process integrate with the NIST Risk Management Framework (RMF)? (Choose one answer) a) The audit's Planning phase directly corresponds to the RMF IMPLEMENT step b) The audit's Testing & Evaluation provides the core assessment for the RMF ASSESS step c) The audit's Reporting phase finalizes the RMF MONITOR step d) The audit's Evidence Collection is part of the RMF CATEGORIZE step

PreviousThe information security compliance auditNextChapter 3 review questions

Last updated