Certified Information Systems Security Professional (CISSP) — Question 449

What is the MAIN purpose of a security assessment plan?

Answer options

• A. Provide education to employees on security and privacy, to ensure their awareness on policies and procedures.
• B. Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.
• C. Provide guidance on security requirements, to ensure the identified security risks are properly addressed based on the recommendation.
• D. Provide technical information to executives to help them understand information security postures and secure funding.

Correct answer: B

Explanation

The correct answer, B, emphasizes the need for defined objectives and a clear plan for conducting security and privacy control assessments. Options A, C, and D focus on different aspects of security management, such as employee education, guidance on security requirements, and technical information for executives, which do not capture the primary purpose of a security assessment plan.