An interesting point was made the other day by Joel Scambray in a presentation that he gave to the WTIA Security SIG. How many tests does a doctor do when you go in for a checkup? The number is around 8, weight, blood pressure etc. Of course - this will not diagnose some ailments, but even if you take the pareto principle and say that it can give a trained practitioner a good guess at 80% of the common things that could be wrong with someone who walks into their office - that's a pretty good outcome.
If that is the case, given the complexity of the human body - then why do most information security frameworks (ISO, COBIT, PCI) have over 100 [in some cases over 200] individual controls. Can't we just ask 8-10 questions and get a good feeling for 80% of the major things that are wrong with an information security or privacy program?
If we can - what are those key 8-10 questions that would help us to determine if we need to get a specialist involved to do more detailed testing?