Certified Information Systems Auditor (CISA) — Question 631

Which of the following is the BEST indication that an information security program is aligned with organizational objectives?

Answer options

• A. Senior management conducts regular reviews of information security policies.
• B. The information security steering committee sets organizational security priorities.
• C. Risk is managed to within organizational tolerances.
• D. Information security processes are in place throughout the system development life cycle (SDLC).

Correct answer: C

Explanation

Managing risk within organizational tolerances indicates that the information security program effectively supports the overall objectives of the organization. While regular reviews, setting priorities, and processes in the SDLC are important, they do not directly demonstrate alignment with organizational goals as effectively as managing risk does.