Certified Information Systems Auditor (CISA) — Question 1412

An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's
BEST course of action?

Answer options

• A. Determine exposure to the business.
• B. Increase monitoring for security incidents.
• C. Hire a third party to perform security testing.
• D. Adjust future testing activities accordingly.

Correct answer: A

Explanation

The best course of action is to determine exposure to the business, as this helps understand the potential risks and impacts of incomplete security tests. Increasing monitoring for security incidents may help detect issues but does not address the root cause. Hiring a third party for testing may be beneficial but is not the immediate priority. Adjusting future testing activities is important but does not mitigate the current risks posed by the incomplete tests.