nerdexam
(ISC)2

CISSP · Question #747

A vulnerability test on an Information System (IS) is conducted to

The correct answer is C. evaluate the effectiveness of security controls.. A vulnerability test on an Information System is conducted to evaluate how well the existing security controls protect against known weaknesses and threats. It identifies gaps in defenses rather than exploiting them for malicious purposes.

Submitted by salim_om· Mar 5, 2026Security Assessment and Testing

Question

A vulnerability test on an Information System (IS) is conducted to

Options

  • Aexploit security weaknesses in the IS.
  • Bmeasure system performance on systems with weak security controls.
  • Cevaluate the effectiveness of security controls.
  • Dprepare for Disaster Recovery (DR) planning.

How the community answered

(35 responses)
  • B
    6% (2)
  • C
    91% (32)
  • D
    3% (1)

Why each option

A vulnerability test on an Information System is conducted to evaluate how well the existing security controls protect against known weaknesses and threats. It identifies gaps in defenses rather than exploiting them for malicious purposes.

Aexploit security weaknesses in the IS.

Exploiting security weaknesses is the objective of penetration testing, not a vulnerability test, which only identifies and assesses weaknesses without actively exploiting them.

Bmeasure system performance on systems with weak security controls.

Vulnerability testing focuses on security control gaps and risk exposure, not on benchmarking or measuring system performance metrics under weak security conditions.

Cevaluate the effectiveness of security controls.Correct

A vulnerability test is a structured assessment designed to evaluate the effectiveness of security controls by identifying weaknesses, misconfigurations, or gaps in defenses within an Information System. The goal is to determine whether controls such as patching, access controls, and configurations are functioning as intended, providing actionable findings to improve the security posture without necessarily exploiting those vulnerabilities.

Dprepare for Disaster Recovery (DR) planning.

Disaster Recovery planning involves business continuity strategies and recovery time objectives, which are separate from vulnerability assessments that focus on security control evaluation.

Concept tested: Purpose and scope of vulnerability testing

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#Vulnerability testing#Security controls#Security assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice