Certified in Risk and Information Systems Control (CRISC) — Question 1381

Which of the following will provide the BEST measure of compliance with IT policies?

Answer options

• A. Evaluate past policy review reports.
• B. Test staff on their compliance responsibilities.
• C. Perform penetration testing.
• D. Conduct regular independent reviews.

Correct answer: D

Explanation

Conducting regular independent reviews is the best measure of compliance because it ensures an objective assessment of adherence to IT policies. In contrast, evaluating past reports may not reflect current practices, testing staff can only measure their knowledge at a point in time, and penetration testing focuses on security vulnerabilities rather than overall policy compliance.