Certified in Risk and Information Systems Control (CRISC) — Question 824

Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Answer options

• A. A third-party audit
• B. Internal penetration testing
• C. Security operations center review
• D. An internal audit

Correct answer: A

Explanation

A third-party audit is conducted by an external entity, which ensures an impartial evaluation of security controls, making it the most objective option. In contrast, internal penetration testing, security operations center review, and internal audits may have biases due to their connection with the organization being assessed.