Certified Information Systems Auditor (CISA) — Question 304

An external IS auditor has been engaged to determine the organization's cybersecurity posture. Which of the following is MOST useful for this purpose?

Answer options

• A. Capability maturity assessment
• B. Compliance reports
• C. Control self-assessment (CSA)
• D. Industry benchmark report

Correct answer: A

Explanation

The Capability maturity assessment provides a structured way to evaluate and improve an organization's cybersecurity practices and maturity levels. While compliance reports and control self-assessments offer insights into current practices, they do not provide a comprehensive view of maturity. An industry benchmark report may show where the organization stands relative to peers, but it lacks the depth of analysis that a capability maturity assessment provides.