Certified Information Systems Auditor (CISA) — Question 697

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's release management processes?

Answer options

• A. Some releases are carried out with no supporting release documentation
• B. Some releases exceeded the agreed-upon outage window.
• C. Release documentation does not follow a consistent format for all systems.
• D. Release management policies have not been updated in the past two years.

Correct answer: A

Explanation

The absence of supporting release documentation (Option A) is the most critical issue because it can lead to misunderstandings and errors during the release process, increasing risk. While exceeding the outage window (Option B) and inconsistent documentation formats (Option C) are concerning, they do not pose as immediate a risk to the integrity of the release process. Not updating policies (Option D) is important, but without proper documentation, the overall effectiveness of release management is severely compromised.