Certified Information Systems Security Professional (CISSP) — Question 3

Systems Security Professional (CISSP) with identity and access management (IAM) responsibilities is asked by the Chief Information Security Officer (CISO) to perform a vulnerability assessment on a web application to pass a Payment Card Industry (PCI) audit. The CISSP has never performed this before. According to the (ISC)
Code of Professional Ethics, which of the following should the CISSP do?

Answer options

• A. Inform the CISO that they are unable to perform the task because they should render only those services for which they are fully competent and qualified
• B. Since they are CISSP certified, they have enough knowledge to assist with the request, but will need assistance in order to complete it in a timely manner
• C. Review the CISSP guidelines for performing a vulnerability assessment before proceeding to complete it
• D. Review the PCI requirements before performing the vulnerability assessment

Correct answer: A

Explanation

The correct answer is A because the (ISC) Code of Professional Ethics emphasizes that professionals should only engage in tasks for which they are fully qualified. Option B incorrectly suggests that having a CISSP certification is enough without relevant experience, while options C and D focus on reviewing guidelines and requirements, which do not address the immediate ethical obligation to decline the task if not competent.