Certified Information Systems Auditor (CISA) — Question 305

An IS auditor observes that exceptions have been approved for an organization's information security policy. Which of the following is MOST important for the auditor to confirm?

Answer options

• A. Exceptions do not change residual risk.
• B. Exceptions are approved for predefined periods.
• C. Exceptions require changes to the policy.
• D. Exceptions are approved by the board of directors.

Correct answer: B

Explanation

The auditor must ensure that exceptions are approved for predefined periods to maintain control over the risk management process. Without defined timeframes, exceptions could lead to unmonitored risks. The other options, while important, do not address the need for temporal oversight which is critical for effective policy enforcement.