Certified Information Systems Auditor (CISA) — Question 1458

An IS auditor is reviewing an organization's overall incident response capability following recovery from a cybersecurity incident. Which of the following findings should be of MOST concern to the auditor?

Answer options

• A. Risk analysis errors were identified as part of the post-incident review.
• B. Logs were only collected as part of the post-incident review.
• C. The incident was caused by a known vulnerability with a documented risk acceptance.
• D. Lessons learned were not documented after the incident.

Correct answer: B

Explanation

The correct answer is B because collecting logs only for the post-incident review indicates a lack of proactive monitoring and analysis, which is crucial for effective incident response. Option A, while concerning, does not directly impact the immediate response capability. Option C highlights an accepted risk, which may be managed, and option D, though important, does not compromise the incident response process as severely as the lack of log collection.