Certified Information Systems Auditor (CISA) — Question 1431

Which of the following represents the HIGHEST level of maturity of an information security program?

Answer options

• A. The program meets regulatory and compliance requirements.
• B. Information security policies and procedures are established.
• C. A framework is in place to measure risks and track effectiveness.
• D. A training program is in place to promote information security awareness.

Correct answer: C

Explanation

Option C is correct because having a framework to measure risks and track effectiveness signifies a proactive and mature approach to information security. The other options, while important, indicate lower levels of maturity, as they focus on compliance, establishment of policies, and awareness training rather than comprehensive risk management and assessment.