Skip to main content

4.5 Control Assessment Types

4.5 Control Assessment Types



  • Risk practitioners must ensure that data analyzed for control monitoring should be complete, correct and accurate. It is important to review the data source.


  • Data gathered directly by a risk practitioner is more reliable than data provided by a third party.


IS Audit


  • Role of an internal audit is to monitor, evaluate and determine the effectiveness of internal control and report the same to management and the board of directors.


  • Risk practitioners can rely on the audit report by an independent auditor to determine the effectiveness and adequacy of the control environment.


  • Recommendation from the IS auditor provides value addition for control enhancement and brings risk to the attention of management.


  • Alignment of risk management program and audit program is of utmost importance for the overall risk management program of the organization.


  • Periodic audit is the most effective way to ensure that third-party service providers comply with organization’s information security policy and other contractual terms and conditions.



Vulnerability Assessment


  • A Vulnerability assessment is the process of identification of weakness in the system and to address the same before it is exposed or compromised by an intruder.


  • Vulnerabilities can be in the form of misconfiguration or missing updates. Objective of VA is to identify these misconfigurations and missing updates.

  • Identified vulnerabilities should be notified to the respective system owners for taking corrective action. System owners are responsible to ensure availability of effective and adequate control for safeguarding the system.


  • A risk practitioner conducting a vulnerability assessment is required to have sufficient knowledge of the existing security environment and architecture. He should have working experience of different tools and technologies for conduct of vulnerability assessment.


  • Automated tools are the best way to assess the vulnerabilities however risk practitioners should be aware about limitations of tools and always look for ways and means to identify the new and emerging risks.



Penetration Testing



  • Objective of a penetration testing is to validate the findings of the vulnerability assessment. In penetration testing, the tester makes an attempt to exploit the vulnerability. If the attempt is successful, the vulnerability is real and must be addressed at the earliest. Otherwise, vulnerability may be a false positive and may not require any mitigation. This is known as white hat penetration approach wherein the tester is made aware of the vulnerabilities.


  • In black hat approach, the tester is generally given no information about the control environment and he is required to gain unauthorized access to systems with the use of hacking tools and techniques.


  • To safeguard against the system failure and data compromise it is utmost important that:


  • Tester should have sufficient experience in this field


  • Scope and objective of the test should be clear and well understood by testing team


  • Test should be conducted only with management approval


  • Test should be conducted using a defined methodology and under proper oversight


  • Penetration testing should be conducted at periodic intervals and also when there is major change in the systems infrastructure. Change in the infrastructure may introduce new exposures.


  • Penetration testing is the best way to ensure that network security is effective and adequate.



Third-party Assurance


  • Third party assurance can be in the form of certification or attestation for compliance to industry recognized standards.


  • Some of the widely accepted and recognized standards and frameworks are:


  • ISO 27001

  • PCIDSS

  • COBIT 5

  • SSAE 16


  • Compliance with these standards can help the organization to earn confidence of its shareholders, customers, service providers and other stakeholders.


  • Certification or attestation is provided by an independent third party after evaluating the processes of the organization.


  • Cloud service providers or other third party suppliers generally prefer to opt for third party assurance as it is very important to establish stakeholder confidence.



Key aspects from CRISC exam perspective


CRISC Questions 

Possible Answers 

Role of an Internal Audit Function



Monitoring, evaluating, examining and reporting on controls.

Most effective way to ensure that third-party provider comply with organization’s information security policy

Periodic Audit

Prime objective of vulnerability assessment is to identify

Misconfiguration and missing update



Identified vulnerabilities should be immediately notified to

System owner to take corrective action


Best time to perform a penetration test



Penetration testing should be conducted at periodic intervals and also when there is major change in the systems infrastructure.

Most important pre-requirement before conduct of black box penetration test

Scope and objective of the test should be clear and well understood by testing team


Best way to determine effectiveness of network security

Penetration testing




Self-Assessment Questions


Flashcards - 4.5 Control Assessment Types


Practice Questions - 4.5 Control Assessment Types

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more