Certified Information Systems Auditor (CISA) — Question 1295

An IS auditor reviewing the threat assessment for a data center would be MOST concerned if:

Answer options

• A. neighboring organizations' operations have been included.
• B. the exercise was completed by local management.
• C. all identified threats relate to external entities.
• D. some of the identified threats are unlikely to occur.

Correct answer: C

Explanation

The correct answer is C because if all identified threats are related only to external entities, it indicates a lack of awareness of internal vulnerabilities, which can be critical. Options A and B are not as concerning since they reflect proper considerations in the assessment process. Option D, while it may suggest that some threats are deemed unlikely, still allows for the identification of other relevant threats, making it less critical than option C.