Certified Information Security Manager (CISM) — Question 1173

Which of the following provides the MOST useful information for identifying security control gaps on an application server?

Answer options

• A. Risk assessments
• B. Penetration testing
• C. Threat models
• D. Internal audit reports

Correct answer: B

Explanation

Penetration testing is the most effective method for uncovering security control gaps, as it simulates real-world attacks to identify vulnerabilities. While risk assessments, threat models, and internal audit reports provide valuable insights, they do not test the security controls in the same practical manner as penetration testing.