Certified Information Systems Auditor (CISA) — Question 329

When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

Answer options

• A. an information security framework.
• B. past information security incidents.
• C. a risk management process.
• D. industry best practices.

Correct answer: A

Explanation

The correct answer is A, as an information security framework provides a structured approach to managing security policies, ensuring they are comprehensive and aligned with best practices. While past incidents, risk management processes, and industry best practices are important considerations, they should support the framework rather than serve as the primary basis.