New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca CISA Exam - Topic 8 Question 96 Discussion

Actual exam question for Isaca's CISA exam
Question #: 96
Topic #: 8
[All CISA Questions]

The GREATEST concern for an IS auditor reviewing vulnerability assessments by the auditee would be if the assessments are:

Show Suggested Answer Hide Answer
Suggested Answer: A

Comprehensive and Detailed Step-by-Step Explanation:

Conducting vulnerability assessments only once per year, right before an audit, creates a false sense of security and leaves systems exposed between assessments.

Annual Testing Before Audit (Correct Answer -- A)

Risks undetected vulnerabilities for extended periods.

Example: A company only tests security before a compliance audit, allowing zero-day threats to persist for months.

Internal Team Conducting Assessments (Incorrect -- B)

Not ideal, but regular assessments are more critical.

Focusing on Critical Systems (Incorrect -- C)

Not perfect, but better than no testing at all.

Using Open-Source Tools (Incorrect -- D)

Open-source tools can be effective if properly configured.

References:

ISACA CISA Review Manual

NIST 800-115 (Technical Guide to Security Testing)


by Royal at Feb 07, 2025, 07:54 AM

Limited Time Offer

25%

Off

Get Premium CISA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Artie
3 months ago
Internal teams might miss things that outsiders would catch.
upvoted 0 times
...
Arlette
3 months ago
Yearly assessments are better than nothing, but still risky.
upvoted 0 times
...
Graciela
3 months ago
Wait, are we really trusting open-source tools for this?
upvoted 0 times
...
Gianna
4 months ago
Totally agree, only testing critical systems isn't enough!
upvoted 0 times
...
Myong
4 months ago
I think option C is a huge red flag.
upvoted 0 times
...
Leana
4 months ago
I vaguely recall that using open-source tools isn't necessarily bad, but it might raise questions about thoroughness. So D might not be the greatest concern.
upvoted 0 times
...
Delisa
4 months ago
I feel like option C could be a major red flag too. If they're only assessing critical systems, what about the rest of the infrastructure?
upvoted 0 times
...
Evangelina
4 months ago
I'm not really sure, but I remember something about internal teams possibly missing things that external experts would catch. So maybe B is a concern?
upvoted 0 times
...
Effie
5 months ago
I think the biggest issue might be if the assessments are only done once a year, like option A. That doesn't seem frequent enough to catch vulnerabilities.
upvoted 0 times
...
Cory
5 months ago
I think the auditor would be most worried if the assessments were done by the internal team instead of external experts. That could lead to biased or incomplete results. I'm going with option B.
upvoted 0 times
...
Lemuel
5 months ago
Okay, I've got this. The key here is that the auditor would be most concerned if the vulnerability assessments were not comprehensive and didn't cover the entire infrastructure. That's the biggest risk, so option C is the answer.
upvoted 0 times
...
Tesha
5 months ago
Hmm, this is a tricky one. I'm not sure if the frequency, the source, the scope, or the tools used for the assessments would be the biggest concern. I'll have to think this through carefully.
upvoted 0 times
...
Ruthann
5 months ago
This question seems straightforward, but I want to make sure I understand the key concern the auditor would have. I'll need to carefully read through the options to identify the one that poses the greatest risk.
upvoted 0 times
...
Fernanda
12 months ago
B is the winner here. I don't trust those internal teams, they always want to make things look better than they are.
upvoted 0 times
...
Doretha
12 months ago
Haha, I bet the correct answer is A. Waiting until the last minute? That's the IT auditor way, am I right?
upvoted 0 times
Alva
11 months ago
B) Conducted by the internal technical team instead of external experts.
upvoted 0 times
...
Lewis
11 months ago
A) Conducted once per year just before system audits are scheduled.
upvoted 0 times
...
...
Cathrine
1 year ago
C is the way to go. Focusing on critical systems is a smart move, you don't need to waste time on everything.
upvoted 0 times
...
Sylvie
1 year ago
I think conducting the assessments using open-source testing tools could also be a concern, as they may not be as thorough as proprietary tools.
upvoted 0 times
...
Santos
1 year ago
D seems like the best option to me. Open-source tools are often more comprehensive and reliable than commercial ones.
upvoted 0 times
Allene
11 months ago
D) Performed using open-source testing tools.
upvoted 0 times
...
Yoko
11 months ago
C) Performed for critical systems, not for the entire infrastructure.
upvoted 0 times
...
Asha
12 months ago
B) Conducted by the internal technical team instead of external experts.
upvoted 0 times
...
Devorah
12 months ago
A) Conducted once per year just before system audits are scheduled.
upvoted 0 times
...
...
Graciela
1 year ago
I think the answer is B. Having the internal team conduct the assessments could lead to a conflict of interest and potential bias in the results.
upvoted 0 times
Ethan
1 year ago
B) Conducted by the internal technical team instead of external experts.
upvoted 0 times
...
Nida
1 year ago
A) Conducted once per year just before system audits are scheduled.
upvoted 0 times
...
...
Paulina
1 year ago
I agree with Carlton. That could lead to a false sense of security.
upvoted 0 times
...
Carlton
1 year ago
I think the greatest concern would be if the assessments are conducted once per year just before system audits are scheduled.
upvoted 0 times
...

Save Cancel