Certified Information Systems Auditor (CISA) — Question 585

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?

Answer options

• A. Prioritization criteria are not defined.
• B. Service management standards are not followed.
• C. Expected time to resolve incidents is not specified.
• D. Metrics are not reported to senior management.

Correct answer: A

Explanation

The correct answer is A because having undefined prioritization criteria can lead to inefficient incident handling and resource allocation. While options B, C, and D are significant, they do not directly impact the immediate effectiveness of incident management as prioritization does.