Certified Information Systems Auditor (CISA) — Question 1265

Which of the following is the BEST way for an IS auditor to validate that employees have been made aware of the organization's information security policy?

Answer options

• A. Interview employees to determine their level of understanding of the policy.
• B. Compare the employee roster against a list of those who attended security training.
• C. Review HR records for employee violations of the information security policy.
• D. Review the training process to determine how policies are explained to employees.

Correct answer: A

Explanation

The best approach is to interview employees, as it directly assesses their understanding and awareness of the information security policy. Comparing attendance records does not guarantee comprehension, while reviewing HR records for violations only provides past incidents, and looking into the training process may not reveal whether employees actually understood the policies.