Certified Information Systems Auditor (CISA) — Question 1108

An organization has implemented a policy to require minimum security control baselines when configuring servers or systems. What control type has been implemented?

Answer options

• A. Compensating
• B. Directive
• C. Preventive
• D. Corrective

Correct answer: C

Explanation

The correct answer is C, Preventive, as it involves measures taken to prevent security incidents by enforcing minimum security standards. The other options do not fit; Compensating controls serve as alternatives when primary controls are not feasible, Directive controls focus on policies and guidelines, and Corrective controls address issues after they occur.