Certified Information Systems Auditor (CISA) — Question 435

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

Answer options

• A. Ensure the intrusion prevention system (IPS) is effective.
• B. Verify the disaster recovery plan (DRP) has been tested.
• C. Assess the security risks to the business.
• D. Confirm the incident response team understands the issue.

Correct answer: C

Explanation

The correct answer is C because assessing the security risks to the business is the first step in prioritizing vulnerability management. Options A, B, and D are important but they all depend on understanding the risks first before implementing specific security measures or plans.