Certified Information Systems Auditor (CISA) — Question 901

A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?

Answer options

• A. Enterprise architecture (EA)
• B. Business impact analysis (BIA)
• C. Business objectives
• D. Recent incident trends

Correct answer: C

Explanation

The correct answer is C, as aligning the information security policy with business objectives ensures that security measures support the organization's goals. Options A and B, while important, are more about the structure and analysis rather than directly reflecting the organization's aims. Option D focuses on past incidents, which is useful but does not address the proactive alignment with future business goals.