ISC2 CISSP: Security Assessment and Testing
Table of Contents
Click Here to Return To the ISC2 CISSP Course Page
Security Assessment and Testing is 12% of the ISC2 CISSP exam. This module covers how you prove your controls work rather than assuming they do. Testing without acting on the results provides no real assurance, so the exam stresses reporting and remediation as much as the tests themselves.
A control you never test is a control you only hope works. Assessment and testing close the gap between policy on paper and security in practice. You design the strategy, run the tests, gather the data, and report findings that drive real fixes.
Assessment, Test, and Audit Strategies
You design a strategy before you test so the work is repeatable and defensible.
| Activity | Who runs it | Purpose |
|---|---|---|
| Assessment | Internal team or consultant | Broad evaluation of security posture |
| Test | Internal team | Verify a specific control works |
| Audit | Independent party | Provide objective assurance to stakeholders |
You design strategies to match the organization’s risk, compliance needs, and the data states you protect. Map every test back to a control and every control back to a risk from Security and Risk Management .
Security Control Testing
You combine several techniques because no single test finds everything.
- Vulnerability assessment scans systems for known weaknesses and produces a prioritized list. It is broad but does not confirm exploitability.
- Penetration testing actively exploits weaknesses to prove real impact. It is deep but narrow.
- Log reviews check whether monitoring captures the events you need for detection and investigation.
- Code review examines source code for flaws, either manually or with tools.
Penetration testing uses team colors to define roles:
| Team | Role |
|---|---|
| Red team | Attackers who simulate a real adversary |
| Blue team | Defenders who detect and respond |
| Purple team | Red and blue working together to improve both |
| White team | Referees who set rules and judge the exercise |
# Run an authenticated vulnerability scan with Nmap's script engine
nmap -sV --script vuln 10.0.0.0/24
# Check a web application's security headers during an assessment
curl -sI https://app.example.com | grep -i "strict-transport-security\|content-security-policy"
You also apply specialized tests:
- Synthetic transactions are scripted actions that mimic real users to test availability and performance.
- Misuse case testing checks how the system behaves when someone abuses it, not just when they use it correctly.
- Interface testing verifies APIs, GUIs, and connections between systems.
- Breach and attack simulation (BAS) continuously runs automated attacks to validate defenses around the clock.
For deeper, hands-on practice with these techniques, the PenTest+ engagement management module walks through a full professional test.
Collecting Security Process Data
You collect operational data so you can measure whether security is improving.
- Account management reviews confirm accounts are provisioned, reviewed, and deprovisioned correctly, tying back to Identity and Access Management .
- Management review brings results to leadership for decisions and resource allocation.
- Backup verification confirms backups exist and actually restore. An untested backup is not a backup.
- Training and awareness metrics track who completed training and how phishing-test results trend.
You measure with two kinds of metrics:
| Metric | Looks at | Example |
|---|---|---|
| KPI (Key Performance Indicator) | Past performance | Percent of systems patched on time |
| KRI (Key Risk Indicator) | Future risk | Number of unpatched critical vulnerabilities |
KPIs tell you how you did. KRIs warn you about what could go wrong next.
Analyzing Output and Reporting
A test only matters if someone acts on it. You turn raw output into a report that drives change.
- Remediation assigns owners and deadlines to each finding and tracks them to closure.
- Exception handling documents risks the business chooses to accept, with a formal sign-off.
- Ethical disclosure reports vulnerabilities responsibly, giving the owner time to fix before public release.
You rank findings by business risk, not by technical severity alone. A medium flaw on a payment server outranks a critical flaw on an isolated test box.
Security Audits
Audits provide independent assurance and come in three forms.
| Audit type | Run by | Use |
|---|---|---|
| Internal | Your own audit team | Self-assessment and continuous improvement |
| External | An outside firm | Independent assurance to regulators and partners |
| Third-party | A party assessing a vendor | Validate a supplier’s controls, such as a SOC 2 report |
You use third-party audits to manage supply chain risk, confirming a vendor’s controls before you trust them with your data.
Next Steps
With testing and reporting mastered, continue to Security Operations to act on findings day to day, then Software Development Security to build testing into the pipeline. Review tips for passing certification exams and return to the ISC2 CISSP Course .
