Certified Information Systems Security Professional (CISSP) — Question 126

An organization needs to evaluate the effectiveness of security controls implemented on a new system. Which of the following roles should the organization entrust to conduct the evaluation?

Answer options

• A. Authorizing Official (AO)
• B. System owner
• C. Control assessor
• D. Information System Security Officer (ISSO)

Correct answer: C

Explanation

The correct answer is C, Control assessor, as this role is specifically responsible for evaluating and testing the effectiveness of security controls. The Authorizing Official (AO) is involved in the approval process, while the System owner manages the system's overall functionality, and the Information System Security Officer (ISSO) focuses on enforcing security policies rather than conducting evaluations.