Certified Information Systems Auditor (CISA) — Question 300

Which of the following should be done FIRST when planning a penetration test?

Answer options

• A. Define the testing scope.
• B. Determine reporting requirements for vulnerabilities.
• C. Obtain management consent for the testing.
• D. Execute nondisclosure agreements (NDAs).

Correct answer: C

Explanation

The correct answer is C, as obtaining management consent is crucial to ensure that the testing is authorized and legal. Without this approval, the testing could be considered unauthorized, leading to legal ramifications. The other options, while important, should be addressed after securing management consent.