Certified Information Systems Auditor (CISA) — Question 150

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

Answer options

• A. The information security policy does not include mobile device provisions.
• B. The information security policy is not frequently reviewed.
• C. The information security policy has not been approved by the chief audit executive (CAE).
• D. The information security policy has not been approved by the policy owner.

Correct answer: D

Explanation

The greatest concern is that the information security policy has not been approved by the policy owner, as this indicates a lack of authority and accountability for the policy's implementation. While the other options highlight important issues, they do not undermine the foundational authority of the policy as significantly as the lack of approval from the policy owner does.