Certified Information Systems Auditor (CISA) — Question 379

Which of the following is the BEST way for an IS auditor to determine how well an information security program has been implemented throughout the organization?

Answer options

• A. Evaluate the percentage of employees who have taken security awareness training.
• B. Review security awareness training content for completeness.
• C. Perform security risk assessments for the organization's business units.
• D. Evaluate the integration of security best practices into business workflow.

Correct answer: D

Explanation

The correct answer is D because evaluating the integration of security best practices into business workflows provides a comprehensive view of how security is embedded within the organization. Options A and B focus on training aspects, which are important but do not reflect the overall program's effectiveness. Option C, while useful, does not directly assess the implementation of the security program itself.