Certified Information Systems Auditor (CISA) — Question 732

Which of the following is MOST important when assembling an internal team to perform penetration testing for the organization?

Answer options

• A. Obtain a listing of key systems for testing from management.
• B. Gain agreement from management on timing and scope.
• C. Perform a scan and identify in-scope assets.
• D. Query the company directory to find privileged users.

Correct answer: B

Explanation

The correct answer is B because gaining agreement from management on timing and scope ensures that the penetration test aligns with organizational goals and constraints. Options A, C, and D are important steps in the process but do not address the foundational agreement needed for a successful test.