Certified Information Systems Auditor (CISA) — Question 671
An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
Answer options
- A. based on industry standards.
- B. well understood by all employees.
- C. updated frequently.
- D. developed by process owners.
Correct answer: B
Explanation
The most important factor to determine next is whether the policy is well understood by all employees, as effective implementation relies on their comprehension and adherence. While having a policy based on industry standards, updated frequently, or developed by process owners are important, they are secondary to ensuring that all staff can grasp and follow the policy effectively.