Certified Information Security Manager (CISM) — Question 68

Which of the following is the PRIMARY reason that an information security manager would contract with an external provider to perform penetration testing?

Answer options

• A. To obtain an independent network security certification
• B. To mitigate gaps in technical skills
• C. To obtain an independent view of vulnerabilities
• D. To obtain the full list of system vulnerabilities

Correct answer: C

Explanation

The correct answer, C, highlights the importance of obtaining an independent perspective on vulnerabilities, which is crucial for an unbiased evaluation. Option A focuses on certification rather than assessment, B addresses skills gaps but doesn't emphasize independence, and D misrepresents the goal of penetration testing as merely listing vulnerabilities rather than assessing them independently.