Certified Information Systems Auditor (CISA) — Question 904

Which of the following issues identified during a formal review of an organization's information security policies presents the GREATEST potential risk to the organization?

Answer options

• A. The policies have not been reviewed by the risk management committee.
• B. The policies are not based on industry best practices for information security.
• C. The policies are not aligned with the information security risk appetite.
• D. The policies are not available to key risk stakeholders.

Correct answer: C

Explanation

The correct answer, C, is crucial because if the policies do not align with the organization's risk appetite, it indicates a fundamental disconnect in managing risks effectively. While the other options present risks, they do not directly impact the organization's overall ability to manage its information security in line with its established risk tolerance.