Certified Information Systems Auditor (CISA) — Question 113

Which of the following should be identified FIRST when assessing the maturity level of an organization’s vulnerability management practices?

Answer options

• A. Applicable IT governance framework
• B. Key security team members to interview
• C. Applicable security framework
• D. Scope of vulnerability reports

Correct answer: C

Explanation

Identifying the Applicable security framework is crucial as it provides the foundational guidelines and standards that the organization should follow in its vulnerability management efforts. The other options, while important, do not establish the framework against which the maturity of practices can be evaluated and thus should not be the primary focus.