Certified Information Systems Auditor (CISA) — Question 605

Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?

Answer options

• A. Globally accepted privacy best practices
• B. Historical privacy breaches and related root causes
• C. Benchmark studies of similar organizations
• D. Local privacy standards and regulations

Correct answer: D

Explanation

The correct answer is D, as local privacy standards and regulations provide specific legal requirements that organizations must follow, making them essential for assessing compliance. While globally accepted best practices and historical breaches offer useful insights, they do not substitute for the authoritative guidance of local laws. Benchmark studies can help in comparison, but they do not ensure adherence to mandatory regulations.