Skip to main content

4.5 Control Assessment Types

4.5 Control Assessment Types



  • Risk practitioners must ensure that data analyzed for control monitoring should be complete, correct and accurate. It is important to review the data source.


  • Data gathered directly by a risk practitioner is more reliable than data provided by a third party.


IS Audit


  • Role of an internal audit is to monitor, evaluate and determine the effectiveness of internal control and report the same to management and the board of directors.


  • Risk practitioners can rely on the audit report by an independent auditor to determine the effectiveness and adequacy of the control environment.


  • Recommendation from the IS auditor provides value addition for control enhancement and brings risk to the attention of management.


  • Alignment of risk management program and audit program is of utmost importance for the overall risk management program of the organization.


  • Periodic audit is the most effective way to ensure that third-party service providers comply with organization’s information security policy and other contractual terms and conditions.



Vulnerability Assessment


  • A Vulnerability assessment is the process of identification of weakness in the system and to address the same before it is exposed or compromised by an intruder.


  • Vulnerabilities can be in the form of misconfiguration or missing updates. Objective of VA is to identify these misconfigurations and missing updates.

  • Identified vulnerabilities should be notified to the respective system owners for taking corrective action. System owners are responsible to ensure availability of effective and adequate control for safeguarding the system.


  • A risk practitioner conducting a vulnerability assessment is required to have sufficient knowledge of the existing security environment and architecture. He should have working experience of different tools and technologies for conduct of vulnerability assessment.


  • Automated tools are the best way to assess the vulnerabilities however risk practitioners should be aware about limitations of tools and always look for ways and means to identify the new and emerging risks.



Penetration Testing



  • Objective of a penetration testing is to validate the findings of the vulnerability assessment. In penetration testing, the tester makes an attempt to exploit the vulnerability. If the attempt is successful, the vulnerability is real and must be addressed at the earliest. Otherwise, vulnerability may be a false positive and may not require any mitigation. This is known as white hat penetration approach wherein the tester is made aware of the vulnerabilities.


  • In black hat approach, the tester is generally given no information about the control environment and he is required to gain unauthorized access to systems with the use of hacking tools and techniques.


  • To safeguard against the system failure and data compromise it is utmost important that:


  • Tester should have sufficient experience in this field


  • Scope and objective of the test should be clear and well understood by testing team


  • Test should be conducted only with management approval


  • Test should be conducted using a defined methodology and under proper oversight


  • Penetration testing should be conducted at periodic intervals and also when there is major change in the systems infrastructure. Change in the infrastructure may introduce new exposures.


  • Penetration testing is the best way to ensure that network security is effective and adequate.



Third-party Assurance


  • Third party assurance can be in the form of certification or attestation for compliance to industry recognized standards.


  • Some of the widely accepted and recognized standards and frameworks are:


  • ISO 27001

  • PCIDSS

  • COBIT 5

  • SSAE 16


  • Compliance with these standards can help the organization to earn confidence of its shareholders, customers, service providers and other stakeholders.


  • Certification or attestation is provided by an independent third party after evaluating the processes of the organization.


  • Cloud service providers or other third party suppliers generally prefer to opt for third party assurance as it is very important to establish stakeholder confidence.



Key aspects from CRISC exam perspective


CRISC Questions 

Possible Answers 

Role of an Internal Audit Function



Monitoring, evaluating, examining and reporting on controls.

Most effective way to ensure that third-party provider comply with organization’s information security policy

Periodic Audit

Prime objective of vulnerability assessment is to identify

Misconfiguration and missing update



Identified vulnerabilities should be immediately notified to

System owner to take corrective action


Best time to perform a penetration test



Penetration testing should be conducted at periodic intervals and also when there is major change in the systems infrastructure.

Most important pre-requirement before conduct of black box penetration test

Scope and objective of the test should be clear and well understood by testing team


Best way to determine effectiveness of network security

Penetration testing




Self-Assessment Questions


Flashcards - 4.5 Control Assessment Types


Practice Questions - 4.5 Control Assessment Types

Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

30% Discount - CRISC Recorded Lecture

We are pleased to announce that we are offering CRISC recorded lectures at 30% discount. Please use below link to avail the discount https://www.udemy.com/course/crisc-with-hemang-doshi/?couponCode=CRISCMARCH21037
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more