Certified Chief Information Security Officer (CCISO) — Question 149

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
After determining the audit findings are accurate, which of the following is the MOST logical next activity?

Answer options

• A. Validate gaps with the Information Technology team
• B. Begin initial gap remediation analyses
• C. Review the security organization's charter
• D. Create a briefing of the findings for executive management

Correct answer: B

Explanation

The most logical next step is to begin initial gap remediation analyses (B), as this allows for a proactive approach to addressing the identified issues. Validating gaps with the IT team (A) may be necessary but does not directly lead to action, while reviewing the organization's charter (C) and creating a briefing for management (D) are important but secondary steps that can follow after remediation planning.