Certified Information Systems Auditor (CISA) — Question 1271

The practice of periodic secure code reviews is which type of control?

Answer options

• A. Compensating
• B. Detective
• C. Preventive
• D. Corrective

Correct answer: B

Explanation

Periodic secure code reviews are classified as detective controls because they help identify vulnerabilities and issues in the code after it has been written. Compensating controls are alternative measures to reduce risk, preventive controls aim to stop incidents before they occur, and corrective controls are designed to fix issues after they have been detected.