Certified Information Systems Auditor (CISA) — Question 485

An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?

Answer options

• A. Configure users on the mobile device management (MDM) solution.
• B. Create inventory records of personal devices.
• C. Implement an acceptable use policy.
• D. Conduct security awareness training.

Correct answer: C

Explanation

Creating an acceptable use policy is essential as it sets the guidelines and rules for how personal devices should be used on the corporate network, ensuring compliance and security. Without this policy in place, other actions like configuring an MDM solution or conducting training may not be effective. Inventorying devices and training users are important but should occur after the policy is established.