Certified Information Systems Auditor (CISA) — Question 518

Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?

Answer options

• A. Corrective control
• B. Preventive control
• C. Detective control
• D. Directive control

Correct answer: D

Explanation

The recommended control is a directive control because it involves establishing policies and guidelines that dictate how the IT equipment should be used. Corrective controls aim to fix issues after they occur, preventive controls are designed to stop problems before they happen, and detective controls are used to identify issues after they have occurred, none of which directly apply to the establishment of an acceptable use policy.