nerdexam
(ISC)2

CISSP · Question #1100

During testing, where are the requirements to inform parent organizations, law enforcement, and a computer incident response team documented?

The correct answer is B. Security assessment plan. The Security Assessment Plan (SAP) documents the rules and requirements governing how a security assessment will be conducted, including notification obligations to parent organizations, law enforcement, and incident response teams.

Submitted by javi_es· Mar 5, 2026Security Assessment and Testing

Question

During testing, where are the requirements to inform parent organizations, law enforcement, and a computer incident response team documented?

Options

  • AUnit test results
  • BSecurity assessment plan
  • CSystem integration plan
  • DSecurity Assessment Report (SAR)

How the community answered

(34 responses)
  • A
    12% (4)
  • B
    79% (27)
  • C
    6% (2)
  • D
    3% (1)

Why each option

The Security Assessment Plan (SAP) documents the rules and requirements governing how a security assessment will be conducted, including notification obligations to parent organizations, law enforcement, and incident response teams.

AUnit test results

Unit test results are outputs that document the outcomes of individual software component tests and do not contain procedural or legal notification requirements for organizations or law enforcement.

BSecurity assessment planCorrect

The Security Assessment Plan (SAP) is the authoritative document that establishes the scope, rules of engagement, and procedural requirements for a security assessment, including mandatory notification requirements to parent organizations, law enforcement, and CIRTs if testing triggers incidents or discoveries. It defines these obligations before testing begins so all stakeholders understand their roles and legal requirements. This is aligned with NIST SP 800-53A and FedRAMP SAP guidance, which require such escalation and notification procedures to be pre-documented in the plan.

CSystem integration plan

A System Integration Plan describes how system components are combined and interfaces are managed during integration, not the legal and organizational notification requirements during security testing.

DSecurity Assessment Report (SAR)

The Security Assessment Report (SAR) is a post-assessment artifact that documents findings, vulnerabilities, and recommendations after testing is complete, not the pre-established requirements and rules of engagement that govern the testing process.

Concept tested: Security Assessment Plan notification and escalation requirements

Source: https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final

Topics

#security assessment plan#incident response planning#documentation

Community Discussion

No community discussion yet for this question.

Full CISSP Practice