Certified in Risk and Information Systems Control (CRISC) — Question 1264
Management has implemented additional administrative and technical controls to reduce the likelihood of a high-impact risk in a key information system. What is the BEST way to validate the effectiveness of the control implementation?
Answer options
- A. Perform a vulnerability scan.
- B. Perform an audit.
- C. Perform a penetration test.
- D. Perform a risk assessment.
Correct answer: B
Explanation
Performing an audit is the best way to validate the effectiveness of control implementation because it systematically evaluates compliance with policies and procedures. While vulnerability scans and penetration tests identify security weaknesses, they do not provide a comprehensive review of whether controls are functioning as intended. A risk assessment focuses on identifying risks rather than validating control effectiveness.