Certified Information Systems Auditor (CISA) — Question 668

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Answer options

• A. Business objectives
• B. Alignment with the IT tactical plan
• C. Compliance with industry best practice
• D. IT steering committee minutes

Correct answer: A

Explanation

The correct answer is A because aligning the information security policy with business objectives ensures that the policy supports the organization's goals and priorities. Options B and C, while important, are secondary to the fundamental need for the policy to align with what the business aims to achieve. Option D is less relevant as it pertains to meeting minutes rather than the actual policy's effectiveness.