1. Home
  2. Training Library
  3. Testing, audit and review [CISMP]

Test strategies and approaches

The course is part of this learning path

Test strategies and approaches

It’s human nature to want to check and double check.

How many times have you left the house and wondered if you locked the door, or closed the window, or turned off an appliance? Did you go back? Of course, it can be frustrating, but sometimes the instinct to double check can save a lot of trouble in the long run, even if it might cost us time. With digital security you should never trade-off testing in favour of saving time, as the ramifications can be huge. Let’s imagine you’re an Information Security Manager.

Three colleagues around desk with man on right talking and gesticulating while colleagues listen on.

A scenario

Consider a scenario where a software development team has created a new application for the finance team. They’ve been coding for four months and now have what they believe is a completed application that can be deployed to the whole organisation.   

However, as the Information Security Manager, you’re concerned that there may be problems with this code. You need assurance that the new software is secure and won’t cause an unacceptable security risk.  So, you propose a testing cycle. But what does that look like?

Icon of a magnifying glass hovering over a bug on a computer screen


There are various methods that can be used to test a system, and the approach should be updated as the application and business needs evolve. Here are some examples of approaches you can take and their benefits: 

  • The most common approach is a hybrid regime, which comprises a range of methodologies. It provides a holistic approach to evaluating the security posture of the application and ensures the most common coding errors and mistakes are eradicated before it’s deployed to the live environment.
  • User acceptance testing (UAT) is business testing by end users with realistic test cases, which provides an authentic method of discovering issues. Testers can also conduct ad-hoc testing using their business knowledge and initiative to attempt to break the system.
  • Alongside user testing, vulnerability analysis, code reviews and targeted penetration testing can also be undertaken.
  • Defensive coding can be used to make sure that only valid and accurate data are processed by the system.
  • Functional testing of the system ensures that it behaves as expected within the design criteria. It’s designed to confirm that all the components of a piece of code or software operate correctly. Functional testing focuses on testing the interface of the application to ensure that all user requirements for a properly working application are met.
  • Adequate assurance is the approach which takes into account testing confidentiality and integrity when reporting on test results.
  • Regression testing as an approach is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features.
  • A sheep dip is the process of using a dedicated computer to test files on removable media for malware before they are allowed to be used with other computers.
  • A sandbox is an isolated test environment on a network that mimics end-user operating environments. Sandbox testing proactively detects malware by executing, or detonating code in a safe and isolated environment to observe that code’s behaviour and output activity.  

But what else should you consider?  

Testing frequency  

Before reading ahead, what do you think determines the frequency of testing? If you’ve conducted testing in the past, what helped you to create your testing plan? 

Testing frequency should be defined by compliance regulations and in the security policy and detailed in the operational security plan, but in general there are three things that testing frequency is determined by:  

  • The frequency of updates to the code base 
  • The extent of the updates 
  • Changes to supporting environments 

Remember that this will cover all aspects of the system, including bespoke solutions, infrastructure components, configuration and access control systems. It can even include testing physical security and administrative processes.   


Finally, a part of testing and test approaches that should be considered throughout the process is backing up your code and data. If you deploy an update and find it has bugs, you’ll need to quickly roll back your system, and having your code and data on hand will help smooth out the process. Here are a few backup approaches you can take:  

  • Full back upis the most complete type of backup where you clone all the selected data. This includes files, folders, SaaS applications, hard drives and more. The main benefit of a full backup is the minimal time it requires to restore data. However, since as everything is backed up in one go there is likely to be considerable duplication of files and it takes longer to backup compared to other approaches. 
  • Differential backup straddles the line between a full and an incremental backup. This type of backup involves backing up data that was created or changed since the last full backup. To put it simply, a full backup is done initially, and then subsequent backups are run to include all the changes made to the files and folders.  In this approach, backups are considerably faster and with less duplication than a full backup but restoring will be slower.
  • Incremental backups are where successive copies of the data contain only a record of the changes since the preceding backup. Incremental backups are therefore the quickest to perform, require the least storage space, but are the slowest to restore.

What’s next? 

So, what have you learnt in your role as an Information Security Manager? Was there anything here that you hadn’t heard of before? Be sure to make note of anything that feels new, so you can take it forward with you in your learning. Next up, you’ll look at Vulnerability testing and the different environments you can utilise to do so.  


In this module you’ll be continuing with the information life cycle by following the process onto Test strategies and approaches through to reporting and verification and finally concluding with auditing and digital forensics.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.