Certified Chief Information Security Officer (CCISO) — Question 42
Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?
Answer options
- A. Never
- B. Quarterly
- C. Annually
- D. Semi-annually
Correct answer: C
Explanation
The correct answer is C, as conducting an annual audit allows for a thorough evaluation of the controls and ensures they are still effective against identified risks. Options A and B are inadequate because never auditing or auditing too frequently may overlook necessary adjustments, while option D, although better than A and B, does not provide the comprehensive yearly review needed to address evolving risks.