Certified Information Systems Auditor (CISA) — Question 497

When reviewing an organization's IT governance processes, which of the following provides the BEST indication that information security expectations are being met at all levels?

Answer options

• A. Achievement of established security metrics
• B. Approval of the security program by senior management
• C. Utilization of an internationally recognized security standard
• D. Implementation of a comprehensive security awareness program

Correct answer: A

Explanation

The achievement of established security metrics directly reflects how well information security expectations are being met across the organization, making it the best indicator. While approval from senior management, adherence to standards, and security awareness programs are important, they do not provide direct evidence of security performance at all levels.