A controls audit provides the most comprehensive and objective indicator of an organization's information security status. It involves a systematic and independent examination of the entire information security program, including administrative, technical, and physical controls, against established criteria such as policies, standards, and regulations. This holistic assessment evaluates both the design and operational effectiveness of the control environment, offering a broad, evidence-based view of the security posture. Unlike other options that are more tactical or limited in scope, an audit provides assurance to management on the overall state of security governance and compliance.

A. Intrusion detection log analysis is a tactical, operational activity that identifies specific, potential security incidents, not the overall effectiveness of the security program.

C. Threat analysis focuses on potential external or internal dangers to the organization, not on the current state or effectiveness of its internal defensive controls.

D. A penetration test is a valuable but narrowly scoped technical assessment that tests for specific vulnerabilities at a single point in time, not the entire control framework.

---

1. ISACA

CISM Review Manual

15th Edition. Domain 3: Information Security Program Development and Management

Section 3.5

"Information Security Program Monitoring and Reporting." This section emphasizes that monitoring activities

such as audits and reviews

are essential for providing assurance to stakeholders that the security program is effective. An audit is presented as a formal

independent mechanism to assess the adequacy of the control environment

making it a primary indicator of security status (Task D3.6).

2. ISACA

CISM Review Manual

15th Edition. Domain 3: Information Security Program Development and Management

Section 3.4

"Information Security Control Design and Implementation." This section distinguishes between different types of control tests. It describes penetration testing as a method to "simulate an attack on a system" to identify vulnerabilities

highlighting its specific and limited scope compared to a comprehensive audit that reviews the entire control framework.

3. Fomin

V. V.

& de Vries

H. J. (2016). The role of standards in the development of information infrastructures. In The 9th IADIS International Conference Information Systems 2016 (pp. 3-10). This publication discusses how compliance with standards

verified through audits

is a key mechanism for ensuring and demonstrating the security and reliability of information systems

thus serving as a primary indicator of security status.

4. Peltier

T. R. (2013). Information Security Fundamentals (2nd ed.). CRC Press. Chapter 11

"Security Auditing and Testing

" explains that a security audit is a "methodical examination and review" that provides a "snapshot of the security of an organization at a given point in time." It contrasts this broad review with testing (like penetration testing)

which is focused on finding specific flaws. This supports the audit as the most comprehensive indicator. (Note: While a textbook

it is widely used in university curricula and reflects foundational principles aligned with CISM).