CISM Certified Information Security Manager – Question1107

Which of the following should be in place before a black box penetration test begins?

A.
IT management approval
B. Proper communication and awareness training
C. A clearly stated definition of scope
D. An incident response plan

Correct Answer: C

Explanation:

Explanation:
Having a clearly stated definition of scope is most important to ensure a proper understanding of risk as well as success criteria, IT management approval may not be required based on senior management decisions. Communication, awareness and an incident response plan are not a necessary requirement. In fact, a penetration test could help promote the creation and execution of the incident response plan.