nerdexam
(ISC)2

CISSP · Question #1305

In setting expectations when reviewing the results of a security test, which of the following statements is MOST important to convey to reviewers?

The correct answer is B. The results of the tests represent a point-in-time assessment of the target(s).. Security test results reflect the state of a system at the specific moment testing occurred, not a continuous or permanent assessment. Communicating this limitation is critical for proper interpretation of findings.

Submitted by andreas_gr· Mar 5, 2026Security Assessment and Testing

Question

In setting expectations when reviewing the results of a security test, which of the following statements is MOST important to convey to reviewers?

Options

  • AThe target's security posture cannot be further compromised.
  • BThe results of the tests represent a point-in-time assessment of the target(s).
  • CThe accuracy of testing results can be greatly improved if the target(s) are properly hardened.
  • DThe deficiencies identified can be corrected immediately

How the community answered

(27 responses)
  • A
    4% (1)
  • B
    93% (25)
  • D
    4% (1)

Why each option

Security test results reflect the state of a system at the specific moment testing occurred, not a continuous or permanent assessment. Communicating this limitation is critical for proper interpretation of findings.

AThe target's security posture cannot be further compromised.

Concluding that a target cannot be further compromised after a security test is a dangerous and inaccurate assumption, as no test guarantees exhaustive coverage of all attack vectors or zero-day vulnerabilities.

BThe results of the tests represent a point-in-time assessment of the target(s).Correct

Security testing is inherently a point-in-time assessment, meaning vulnerabilities found (or not found) reflect the environment's state only during the testing window. New vulnerabilities, configuration changes, or newly deployed assets after the test are not captured, so reviewers must understand results can become outdated quickly. Conveying this sets accurate expectations and underscores the need for continuous monitoring and periodic retesting.

CThe accuracy of testing results can be greatly improved if the target(s) are properly hardened.

Hardening targets before testing would alter the environment being assessed and actually reduce the test's effectiveness at identifying real-world weaknesses, making this statement technically counterproductive and misleading.

DThe deficiencies identified can be corrected immediately

Immediate remediation of all identified deficiencies is rarely feasible due to resource constraints, dependency management, change control processes, and risk prioritization, so stating this sets unrealistic and inaccurate expectations.

Concept tested: Security testing scope and point-in-time assessment limitations

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#security testing#penetration testing#vulnerability assessment#point-in-time assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice