Certified Information Systems Auditor (CISA) — Question 628

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

Answer options

• A. The private key certificate has not been updated.
• B. The certificate revocation list has not been updated.
• C. The certificate practice statement has not been published.
• D. The PKI policy has not been updated within the last year.

Correct answer: B

Explanation

The certificate revocation list (CRL) is crucial for ensuring that revoked certificates are not used, which directly impacts the security of the PKI. If the CRL is not updated, there is a risk that compromised certificates may still be trusted. While the other options are also important, they do not pose as immediate a threat to the integrity of the PKI as an outdated CRL.