CompTIA Security+ (SY0-701) — Question 184

The Chief Information Security Officer (CISO) at a large company would like to gain an understanding of how the company's security policies compare to the requirements imposed by external regulators. Which of the following should the CISO use?

Answer options

• A. Penetration test
• B. Internal audit
• C. Attestation
• D. External examination

Correct answer: B

Explanation

An Internal audit is designed to evaluate and ensure compliance with internal policies and external regulations, making it the best choice for the CISO's needs. A Penetration test focuses on identifying vulnerabilities, while Attestation involves verifying compliance but is not as comprehensive. An External examination may provide some insights, but it does not replace the thorough assessment that an Internal audit offers.