Certified in Risk and Information Systems Control (CRISC) — Question 415

A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

Answer options

• A. Gap assessment
• B. Business impact analysis (BIA)
• C. Code review
• D. Penetration test

Correct answer: D

Explanation

The correct choice is D, a penetration test, as it actively simulates attacks to exploit identified vulnerabilities and assess their potential impact. Options A and B are more about assessing existing gaps and understanding business implications rather than directly testing vulnerabilities, while option C, a code review, focuses on identifying issues within the code rather than evaluating risk exposure in a live environment.