An IS auditor finds that penetration testing is conducted annually but identified vulnerabilities are not tracked in a centralized system and remediation is not verified. What is the PRIMARY control weakness?

Home › MCQs › CISA › Question #6854

CISA QUESTION #6854

Question 1

Insufficient testing frequency
Lack of vulnerability remediation tracking and verification makes testing ineffective✔️
Poor documentation
Limited testing scope

Correct Answer Explanation

Penetration testing is only valuable if findings lead to remediation. Without centralized tracking and verification, vulnerabilities may not be fixed, fixes may be incomplete, or new vulnerabilities may be introduced. The testing investment provides no actual security improvement if findings are not systematically addressed and verified.

More Options