Free ISC2 CISSP Actual Exam Questions - Question 9 Discussion

C/D? Security policies (C) show what should be in place, while configuration settings (D) prove if it's actually done right. Checking both gives a fuller picture than just one or the other.

It’s D for me. Configuration settings directly show how security policies are implemented in practice, so checking them helps uncover any gaps or misconfigurations that policies alone won’t reveal. You can have solid policies on paper, but if the configs aren’t right, the system’s at risk. Plus, configurations are tangible and measurable, unlike some policies that can be vague.

Actually, I think A makes a strong case here. The audit policy sets the scope and objectives for the entire audit, so understanding it first helps make sense of all other info you gather. Without knowing what the audit aims to cover, reviewing logs or configs might miss the bigger picture. It’s like your roadmap before you start digging into the details. So while logs, policies, and configs are important, the audit policy frames everything and guides what’s most relevant to check.

I’m going with B here, since security logs show real-time events and can reveal actual threats or breaches, making them crucial for an IT audit. B

D, because configuration settings give a clear picture of how systems are actually set up and help spot any deviations from expected security baselines.

C