Study CompTIA SY0-701 Audits and Assessments: key concepts, common traps, and exam decision cues.
Audits and assessments are where organizations prove, test, or challenge their security claims. Security+ expects you to know the difference between internal and external review, attestation and evidence, and formal assessments versus offensive testing.
CompTIA is usually checking whether you can:
| Activity | Main purpose |
|---|---|
| Internal audit | independent internal review of controls and compliance posture |
| External audit | outside review for customers, regulators, or formal obligations |
| Attestation | formal assertion that stated conditions or controls are true |
| Assessment | structured evaluation of control effectiveness or risk |
| Penetration test | authorized exploitation to validate real attack impact |
| Need | Strongest first fit | Why |
|---|---|---|
| Independent internal readiness check | Internal audit | Tests control maturity before outside scrutiny |
| Customer or regulator needs outside assurance | External audit | Provides third-party validation |
| Formal statement that controls meet stated conditions | Attestation | Focuses on asserted status and supporting evidence |
| Broader technical or control evaluation | Assessment | Tests whether the control environment is effective |
| Proof that a weakness can be exploited | Penetration test | Demonstrates real attack impact under authorization |
1review: internal-audit
2scope:
3 - user-access-reviews
4 - privileged-account-logging
5evidence:
6 - quarterly_access_review_report
7 - admin_log_samples
8 - remediation_ticket_status
9owner: security-governance
What to notice:
Security+ likes answer choices that sound similar but prove different things:
Those are related, but not interchangeable.
A company wants proof that a public web application weakness is actually exploitable before disrupting production with a major emergency change. Which option is strongest?
A. Annual awareness training B. Penetration testing performed within an approved scope C. A generic high-level attestation statement D. A visitor-access report
Best answer: B. The question asks for proof of exploitability, which is what authorized offensive testing is designed to provide.
Audit and assessment questions are about what is being validated. If the goal is independent verification of required controls, think audit. If the goal is proving exploitability, think penetration test. If the goal is broad weakness discovery, think vulnerability assessment. Security+ usually rewards the activity that matches the verification objective, not the most aggressive test label.
Continue with 5.6 Security Awareness & Training to finish the governance chapter with the human-control layer Security+ expects you to recognize.