Presenting and acting on security audit findings requires a precise, professional vocabulary that instils confidence in stakeholders and drives timely remediation. From conducting a penetration test and categorising findings by severity to remediating vulnerabilities and assuring the board, security audit communication has its own distinct language. This exercise covers the collocations used by CISOs, security engineers, and compliance teams in audit reporting.
0 / 5 completed
1 / 5
The external security firm was engaged to ___ a penetration test on the company's cloud infrastructure.
Conduct a penetration test is the standard cybersecurity services collocation — pen tests are 'conducted' as formal, scoped security assessments. 'Perform' and 'carry out' are also used; 'run' is informal. 'Conduct' is the preferred term in security audit documentation because it implies a structured, methodical process with defined scope, methodology, and reporting obligations.
2 / 5
The security team presented the audit report and was asked to ___ the findings into critical, high, medium, and low severity categories.
Categorise the findings is the standard security audit reporting collocation — findings are 'categorised' by severity to help the engineering team prioritise remediation. 'Rank' implies an ordered list rather than category buckets; 'sort' and 'group' are informal. 'Categorise' is the precise term used in security audit reports and vulnerability management frameworks for assigning findings to defined severity classifications.
3 / 5
The CISO required all critical findings to be ___ within 30 days and high-severity issues within 90 days.
Remediated within 30 days is the precise security audit and vulnerability management collocation — security findings are formally 'remediated' through a defined, tracked process. 'Fixed' is informal; 'resolved' is used in ticketing systems; 'addressed' is broader. 'Remediate' is the canonical cybersecurity term for the complete process of eliminating a vulnerability, including patch, configuration change, and verification.
4 / 5
The security team worked with legal to ___ the audit findings to the company's cyber insurance provider.
Disclose the findings is the precise security and compliance communication collocation — audit findings are formally 'disclosed' to insurers, auditors, and regulators as part of compliance obligations. 'Share' and 'provide' are neutral; 'send' focuses on delivery. 'Disclose' carries the specific meaning of making information available that may otherwise be confidential, and is the appropriate term for regulatory and insurance reporting.
5 / 5
The engineering lead prepared a remediation roadmap to ___ the board that all critical vulnerabilities would be addressed before the product launch.
Assure the board is the standard executive governance and audit communication collocation — leaders 'assure' boards that security risks are being managed through evidence-backed roadmaps. 'Convince' implies overcoming resistance; 'show' is informal; 'tell' is too casual for a board context. 'Assure' implies providing a credible, documented basis for confidence rather than simply claiming that action is being taken.