Certified Information Systems Auditor (CISA) — Question 861

An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?

Answer options

• A. Request a plan of action to be established as a follow-up item.
• B. Interview IT management to clarify the current procedure.
• C. Review the organization's patch management policy.
• D. Report this finding to senior management.

Correct answer: C

Explanation

The correct answer is C because reviewing the organization's patch management policy is essential to understand the established guidelines and compliance requirements. Options A and B may provide additional context, but they do not directly address the need to assess the policy itself. Option D, while important, comes after understanding the policy and the reasons for non-compliance.