Certified in Risk and Information Systems Control (CRISC) — Question 1250

Which of the following deficiencies identified during a review of an organization’s cybersecurity policy should be of MOST concern?

Answer options

• A. The policy has gaps against relevant cybersecurity standards and frameworks.
• B. The policy lacks specifics on how to secure the organization's systems from cyberattacks.
• C. The policy has not been reviewed by the cybersecurity team in over a year.
• D. The policy has not been approved by the organization's board.

Correct answer: D

Explanation

The most pressing concern is that the policy has not received approval from the organization's board, as this indicates a lack of governance and oversight. While the other options are significant, they can often be addressed through internal processes. Without board approval, the policy may lack authority and legitimacy within the organization.