nerdexam
(ISC)2

CISSP · Question #256

When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?

The correct answer is B. To find areas of compromise in confidentiality and integrity. Security assessment test outputs and reports are primarily designed to identify areas where confidentiality, integrity, or availability may be compromised, providing actionable findings for remediation.

Submitted by ravi_2018· Mar 5, 2026Security Assessment and Testing

Question

When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?

Options

  • ATo force the software to fail and document the process
  • BTo find areas of compromise in confidentiality and integrity
  • CTo allow for objective pass or fail decisions
  • DTo identify malware or hidden code within the test results

How the community answered

(39 responses)
  • A
    13% (5)
  • B
    79% (31)
  • C
    3% (1)
  • D
    5% (2)

Why each option

Security assessment test outputs and reports are primarily designed to identify areas where confidentiality, integrity, or availability may be compromised, providing actionable findings for remediation.

ATo force the software to fail and document the process

Forcing software to fail (fault injection or stress testing) is a specific testing technique, not the overarching purpose of security assessment reports, which focus on identifying security weaknesses rather than documenting failure processes.

BTo find areas of compromise in confidentiality and integrityCorrect

The main purpose of test outputs and reports in security assessments is to reveal areas of compromise in confidentiality and integrity (and availability), which are the core security properties being evaluated. These reports document discovered vulnerabilities, weaknesses, and exposures so that organizations can understand their risk posture and prioritize corrective actions aligned with security objectives.

CTo allow for objective pass or fail decisions

Pass/fail decisions are more characteristic of compliance audits or functional testing checklists, whereas security assessment reports provide nuanced findings about risk and compromise rather than simple binary outcomes.

DTo identify malware or hidden code within the test results

Identifying malware or hidden code is the goal of malware analysis or code review activities, which are narrow subsets of security testing, not the primary purpose of security assessment test outputs and reports broadly.

Concept tested: Purpose of security assessment test outputs and reports

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#security assessment#test reporting#confidentiality#integrity

Community Discussion

No community discussion yet for this question.

Full CISSP Practice