Certified Information Systems Auditor (CISA) — Question 559

Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?

Answer options

• A. Security policies are not applicable across all business units.
• B. End users are not required to acknowledge security policy training.
• C. The security policy has not been reviewed within the past year.
• D. Security policy documents are available on a public domain website.

Correct answer: A

Explanation

The greatest concern for an IS auditor is that security policies may not be relevant to all business units, which can lead to inconsistent security practices. While the other options highlight issues, they do not have as significant an impact on the overall effectiveness and applicability of the security policies across the organization.