What are the two most common methods that security auditors use to assess an
organization’s security processes? (Choose two)
A.
social engineering attempts
B.
interviews
C.
policy assessment
D.
penetration testing
E.
document review
F.
physical observation
Please reference this link: http://www.ciscopress.com/articles/article.asp?p=1606900&seqNum=2
A, C, E seem to be the correct three answers but the question only wants two. So which two will Cisco deem as correct then?