Certified Chief Information Security Officer (CCISO) — Question 39

Scenario: A Chief Information Security Officer (CISO) recently had a third party conduct an audit of the security program. Internal policies and international standards were used as audit baselines. The audit report was presented to the CISO and a variety of high, medium and low rated gaps were identified.
Which of the following is the FIRST action the CISO will perform after receiving the audit report?

Answer options

• A. Inform peer executives of the audit results
• B. Validate gaps and accepts or dispute the audit findings
• C. Create remediation plans to address program gaps
• D. Determine if security policies and procedures are adequate

Correct answer: B

Explanation

The correct answer is B because the CISO needs to first confirm the accuracy of the findings before taking further actions. Accepting or disputing the audit results is essential to ensure that any remediation plans or policy assessments are based on validated information. Options A, C, and D would be premature without first validating the audit findings.