Certified Information Systems Auditor (CISA) — Question 238

Which of the following should be an IS auditor's PRIMARY consideration when evaluating the development and design of a privacy program?

Answer options

• A. Policies and procedures consistent with privacy guidelines
• B. Industry practice and regulatory compliance guidance
• C. Information security and incident management practices
• D. Privacy training and awareness program for employees

Correct answer: B

Explanation

The correct answer is B because understanding industry practices and regulatory compliance is crucial for ensuring that the privacy program meets legal and professional standards. While policies, information security, and training are important, they are secondary to the foundational requirements set by regulations and industry norms.