Certified Information Systems Auditor (CISA) — Question 366

Providing security certification for a new system should include which of the following prior to the system's implementation?

Answer options

• A. End-user authorization to use the system in production
• B. Testing of the system within the production environment
• C. An evaluation of the configuration management practices
• D. External audit sign-off on financial controls

Correct answer: C

Explanation

The correct answer is C, as evaluating configuration management practices is essential for ensuring the system is secure and properly managed before implementation. Options A and B are not appropriate as they pertain to user access and testing in production, which should occur after certification. Option D, while important, is focused on financial controls rather than the security of the system itself.