Certified in Risk and Information Systems Control (CRISC) — Question 589

Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?

Answer options

• A. Conduct a compliance check against standards.
• B. Perform a vulnerability assessment.
• C. Measure the change in inherent risk.
• D. Complete an offsite business continuity exercise.

Correct answer: B

Explanation

The correct answer is B, as performing a vulnerability assessment directly identifies security gaps and assesses the effectiveness of new controls in mitigating those gaps. The other options, while useful in their own right, do not specifically evaluate the effectiveness of controls in addressing vulnerabilities.