Certified Information Security Manager (CISM) — Question 739

Penetration testing is MOST appropriate when a:

Answer options

• A. new system is about to go live.
• B. security incident has occurred.
• C. security policy is being developed.
• D. new system is being designed.

Correct answer: A

Explanation

The correct answer is A because penetration testing is ideally performed right before a new system goes live to identify any vulnerabilities that could be exploited. Options B, C, and D do not represent the optimal timing for penetration testing, as they focus on incidents or phases where testing may not be as effective in ensuring security readiness.