Certified Information Systems Auditor (CISA) — Question 981

During an information security audit of a mid-sized organization, an IS auditor notes that the organization's information security policy is not sufficient. What is the auditor's BEST recommendation for the organization?

Answer options

• A. Obtain an external consultant's support to rewrite the policy.
• B. Identify and close gaps compared to a best-practice framework.
• C. Perform a benchmark with competitors’ policies.
• D. Define roles and responsibilities for regularly updating the policy.

Correct answer: B

Explanation

The best recommendation is to identify and close gaps compared to a best-practice framework, as this ensures that the policy is aligned with industry standards and effectively addresses security needs. While obtaining external support or comparing with competitors may be helpful, they do not directly address the immediate need for alignment with best practices. Defining roles and responsibilities is important, but it doesn't resolve the inadequacy of the policy itself.