nerdexam
(ISC)2

CISSP · Question #752

The three PRIMARY requirements for a penetration test are

The correct answer is A. A defined goal, limited time period, and approval of management. A penetration test must be properly scoped and authorized to be legal and effective. The three primary requirements ensure the test is purposeful, bounded, and sanctioned.

Submitted by sofia.br· Mar 5, 2026Security Assessment and Testing

Question

The three PRIMARY requirements for a penetration test are

Options

  • AA defined goal, limited time period, and approval of management
  • BA general objective, unlimited time, and approval of the network administrator
  • CAn objective statement, disclosed methodology, and fixed cost
  • DA stated objective, liability waiver, and disclosed methodology

How the community answered

(19 responses)
  • A
    95% (18)
  • C
    5% (1)

Why each option

A penetration test must be properly scoped and authorized to be legal and effective. The three primary requirements ensure the test is purposeful, bounded, and sanctioned.

AA defined goal, limited time period, and approval of managementCorrect

A defined goal establishes the scope and success criteria of the test, a limited time period ensures the engagement is controlled and distinguishable from an actual attack, and management approval provides the legal authorization that transforms the activity from criminal intrusion into a sanctioned security assessment. Without all three, a penetration test lacks proper governance and legal standing.

BA general objective, unlimited time, and approval of the network administrator

An 'unlimited time period' is incorrect because penetration tests must be time-bounded to control risk, contain costs, and distinguish authorized testing from persistent unauthorized access; additionally, approval must come from management (or system owner), not just a network administrator who may lack authority to authorize such testing.

CAn objective statement, disclosed methodology, and fixed cost

While an objective statement and disclosed methodology are relevant concepts, 'fixed cost' is a contractual/financial consideration, not a primary technical or governance requirement for conducting a penetration test, and methodology disclosure is not always required (black-box tests intentionally limit this).

DA stated objective, liability waiver, and disclosed methodology

A liability waiver and disclosed methodology are contractual and procedural considerations, but a liability waiver alone does not replace the requirement for explicit management approval, and disclosed methodology is not always a primary requirement since blind or black-box testing deliberately withholds methodology details.

Concept tested: Core requirements and authorization for penetration testing

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#Penetration testing#Scope definition#Management approval

Community Discussion

No community discussion yet for this question.

Full CISSP Practice