Certified Information Systems Auditor (CISA) — Question 423

What is the MOST critical finding when reviewing an organization's information security management?

Answer options

• A. No official charter for the information security management system
• B. No employee awareness training and education program
• C. No dedicated security officer
• D. No periodic assessments to identify threats and vulnerabilities

Correct answer: D

Explanation

The most critical finding is the lack of periodic assessments to identify threats and vulnerabilities, as this directly impacts the organization's ability to protect its information assets. Without such assessments, potential risks remain unaddressed. While the other options are important, they are secondary to the continuous evaluation of security threats.