Certified Information Systems Auditor (CISA) — Question 593

Which of the following is MOST important to verify when implementing an organization's information security program?

Answer options

• A. The organization's security strategy is documented and approved.
• B. The security program has been benchmarked to industry standards.
• C. The security program is adequately funded in the budget.
• D. The IT department has developed and implemented training programs.

Correct answer: A

Explanation

It is essential to ensure that the organization's security strategy is documented and approved, as this provides a formal framework and direction for the security program. While benchmarking to industry standards, budget funding, and training programs are important, they are secondary to having a clear and endorsed strategy in place to guide all security efforts.