Certified Information Systems Auditor (CISA) — Question 18

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

Answer options

• A. Technical specifications are not documented.
• B. Disaster recovery plans (DRPs) are not in place.
• C. Attack vectors are evolving for industrial control systems.
• D. There is a greater risk of system exploitation.

Correct answer: D

Explanation

The most significant concern is that outdated technology increases the likelihood of system exploitation due to known vulnerabilities that are no longer patched. While lacking documentation and DRPs are important, they do not pose as immediate a threat to the system's security as the risk of exploitation from evolving attack methods targeting unsupported platforms.