nerdexam
(ISC)2

CISSP · Question #242

During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?

The correct answer is D. Define the boundaries of the information system.. In the Security Assessment and Authorization (SA&A) process, a hardware and software inventory is primarily used to establish and define the authorization boundary of the information system.

Submitted by jaden.t· Mar 5, 2026Security Assessment and Testing

Question

During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?

Options

  • ACalculate the value of assets being accredited.
  • BCreate a list to include in the Security Assessment and Authorization package.
  • CIdentify obsolete hardware and software.
  • DDefine the boundaries of the information system.

How the community answered

(46 responses)
  • A
    4% (2)
  • B
    2% (1)
  • C
    2% (1)
  • D
    91% (42)

Why each option

In the Security Assessment and Authorization (SA&A) process, a hardware and software inventory is primarily used to establish and define the authorization boundary of the information system.

ACalculate the value of assets being accredited.

Calculating asset value is a financial or risk-valuation activity, not the primary purpose of inventory during SA&A, which focuses on security control applicability rather than monetary worth.

BCreate a list to include in the Security Assessment and Authorization package.

While an inventory may ultimately be included as documentation in the SA&A package, creating a list for inclusion is a byproduct, not the primary purpose of conducting the inventory.

CIdentify obsolete hardware and software.

Identifying obsolete hardware and software is a lifecycle management or vulnerability management concern, which is separate from the core SA&A goal of establishing what components are within the authorization boundary.

DDefine the boundaries of the information system.Correct

Defining the authorization boundary is foundational to the SA&A process because it determines exactly what components - hardware, software, and interfaces - fall within scope of the security controls being assessed. Without a clear inventory, the system boundary cannot be accurately drawn, making it impossible to determine what must be protected and evaluated. NIST SP 800-37 explicitly requires that the system boundary be defined through this inventory as part of the categorization and authorization steps.

Concept tested: SA&A system boundary definition via hardware/software inventory

Source: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

Topics

#security assessment#system boundaries#asset inventory

Community Discussion

No community discussion yet for this question.

Full CISSP Practice