Well what would you ask?
These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?
We should, I think, be asking about "The Tone At The Top", the organizations attitude towards security and, but what does that mean in terms of interview questions?
My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I'd certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That's not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening ("Yes, I can work on that for you") all you've done is embarrassed the interviewer.
So we have a refinement that the article never touched on: this is an interview not an audit.
- The real reasons for documentation – and how much
- The fatal flaw in IT Risk management
- How to build an asset inventory for 27001
- Social Engineering and sufficency of awareness training
- U.S. Defense Secretary Carter emphasizes culture change needed to
- Does ISO 27001 compliance need a data leakage prevention policy?
Posted by Anton Aylward
I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity