Certified Information Systems Auditor (CISA) — Question 810

Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

Answer options

• A. Establish the timing of testing.
• B. Identify milestones.
• C. Determine the test reporting.
• D. Establish the rules of engagement.

Correct answer: D

Explanation

The correct answer is D, as establishing the rules of engagement is crucial to define the scope, limitations, and expectations for the penetration testing. This ensures that all parties are clear on what is permissible during the test. The other options, while important, are secondary to ensuring that the testing is conducted within an agreed-upon framework.