A new CISO just started with a company and on the CISO's desk is the last complete Information Security Management audit report. The audit report is over two years old.
After reading it, what should be your first priority?
A new CISO just started with a company and on the CISO's desk is the last complete Information Security Management audit report. The audit report is over two years old.
After reading it, what should be your first priority?
Given that the audit report is over two years old, the most prudent first step is to have an internal audit conducted again to assess the current state of Information Security Management. This will provide the new CISO with up-to-date information on what has changed, allowing for more informed decision-making on subsequent actions and adjustments that may be needed.
It should be C
Audit wouldn't be implementing the changes, it should be reviewing the actions with the internal team to see what they have implemented.
A is correct. I confirmed the same answer on another website.
C audit does not implement changes
Audit does not implement changes
Why not A: While reviewing recommendations is valuable, it doesn't provide insights into new risks or changes that have occurred since the last audit.