Certified Information Systems Auditor (CISA) — Question 1459

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's information security governance?

Answer options

• A. Risk assessments of information assets are not periodically performed.
• B. There is no process to measure information security performance.
• C. The information security policy is not reviewed by executive management.
• D. The information security policy does not extend to service providers.

Correct answer: A

Explanation

The greatest concern for an IS auditor is the absence of periodic risk assessments, as this could lead to unrecognized vulnerabilities in information assets. While lacking a performance measurement process (B) and not having executive review (C) are important, they do not directly address the immediate risks posed to information assets. Similarly, while the policy not extending to service providers (D) is significant, it is secondary to the risks posed by not assessing the assets themselves.