Certified in Risk and Information Systems Control (CRISC) — Question 1129

Which of the following criteria is MOST important to include in an agreement with a penetration testing vendor?

Answer options

• A. Scope of the systems to be assessed
• B. Steps to remediate identified vulnerabilities
• C. Expectations of code escrow safeguards
• D. Details of testing methods to be used

Correct answer: A

Explanation

The scope of the systems to be assessed is the most critical criterion because it defines the boundaries and targets of the penetration test, ensuring that both parties have a clear understanding of what will be tested. While remediation steps and testing methods are important, they are secondary to ensuring that the right systems are included in the assessment. Code escrow safeguards are less relevant in the context of a penetration testing agreement.