Certified Chief Information Security Officer (CCISO) — Question 122

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified. The CISO has validated audit findings, determined if compensating controls exist, and started initial remediation planning.
Which of the following is the MOST logical next step?

Answer options

• A. Create detailed remediation funding and staffing plans
• B. Report the audit findings and remediation status to business stake holders
• C. Validate the effectiveness of current controls
• D. Review security procedures to determine if they need modified according to findings

Correct answer: B

Explanation

The correct answer is B because it is crucial for the CISO to communicate the audit findings and the status of remediation to business stakeholders, ensuring transparency and alignment with organizational objectives. The other options, while important, do not represent the immediate next step in addressing the findings from the audit report.