Certified Information Security Manager (CISM) — Question 537

An information security manager needs to ensure security testing is conducted on a new system. Which of the following would provide the HIGHEST level of assurance?

Answer options

• A. The vendor provides the results of a penetration test and code review.
• B. An independent party is directly engaged to conduct testing.
• C. The internal audit team is enlisted to run a vulnerability assessment against the system.
• D. The security team conducts a self-assessment against a recognized industry framework.

Correct answer: B

Explanation

Option B is correct because an independent party conducting the testing is unbiased and can provide a more thorough evaluation of the system's security. In contrast, options A, C, and D involve either the vendor or internal teams, which may have conflicts of interest or limitations in their assessments.