Certified Information Systems Auditor (CISA) — Question 1312

Which of the following is the BEST source of information for an IS auditor to use when determining whether an organization's information security policy is adequate?

Answer options

• A. Risk assessment results
• B. Penetration test results
• C. Industry benchmarks
• D. Information security program plans

Correct answer: A

Explanation

Risk assessment results provide a comprehensive analysis of potential threats and vulnerabilities, making them the best indicator of whether an organization's information security policy is effective. In contrast, penetration test results focus on specific weaknesses, industry benchmarks offer general comparisons, and information security program plans outline objectives but do not assess actual policy adequacy.