According to the CRISC Review Manual (Digital Version), the best way to validate the results of a vulnerability assessment is to perform a penetration test, which is a type of security testing that simulates an attack on the IT assets and processes to exploit the identified vulnerabilities and evaluate the potential impact and severity of the attack. Performing a penetration test helps to:
Confirm the existence and exploitability of the vulnerabilities detected by the vulnerability assessment
Measure the effectiveness and efficiency of the existing security controls and countermeasures
Identify and prioritize the risks and gaps in the security posture of the IT assets and processes
Recommend and implement appropriate remediation and mitigation actions to address the vulnerabilities and risks
Enhance the security awareness and resilience of the organization
References = CRISC Review Manual (Digital Version), Chapter 1: IT Risk Identification, Section 1.5: IT Risk Identification Methods and Techniques, pp. 36-371
Submit