Engage security subject matter experts to identify the most effective controls for the specific vulnerability is the correct choice.

By choosing to engage security subject matter experts the team ensures the vulnerability is assessed in its technical and business context and that selected controls target the root cause. Experts can evaluate exploitability, recommend compensating and preventive measures, prioritize controls by risk and feasibility, and map recommendations to established standards for compliance and auditing.

Use established control frameworks such as NIST SP 80053 and CIS Benchmarks is not sufficient on its own because frameworks provide broad baselines and they must be tailored to the specific vulnerability and environment. Frameworks are valuable references but they do not replace targeted analysis and judgement.

Survey other firms in the sector to learn which controls they have adopted is a weak approach because peer practices may reflect different architectures and risk tolerances and they may lag behind current threats. Copying others without contextual evaluation can leave gaps or introduce unnecessary controls.

Choose the most expensive controls to ensure the highest level of protection is incorrect because higher cost does not guarantee better mitigation for the specific issue and it can create complexity and operational burden. Controls should be appropriate and proportional to the assessed risk and to the organisation's constraints.

Full AWS Practitioner Certification Question