Certified Information Systems Security Professional (CISSP) — Question 116

An established information technology (IT) consulting firm is considering acquiring a successful local startup. To gain a comprehensive understanding of the startup's security posture, which type of assessment provides the BEST information?

Answer options

• A. A security audit
• B. A tabletop exercise
• C. A penetration test
• D. A security threat model

Correct answer: A

Explanation

A security audit provides a detailed review of the startup's security policies, procedures, and controls, making it the best choice for understanding their overall security posture. In contrast, a tabletop exercise is more focused on scenario-based discussions, a penetration test assesses vulnerabilities but may not cover all security aspects, and a security threat model is about identifying potential threats rather than evaluating existing security measures.