When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
When reviewing an organization's information security policies, an IS auditor should ensure that these policies are primarily based on a risk management process. This is because a risk management process identifies, analyzes, evaluates, and treats risks specific to the organization. Policies based on this process are tailored to address the unique risks and requirements of the organization, thus effectively reducing the likelihood and impact of potential security incidents.
c is answer
A risk management process: A risk management process is the most appropriate basis for defining information security policies. Risk management involves identifying, analyzing, evaluating, and treating risks. Policies developed through a risk management process are tailored to the organization's specific risks and requirements, and they are designed to reduce the likelihood and impact of security incident
A. an information security framework.
An information security framework: An information security framework provides a structured approach for developing and implementing information security policies and procedures. However, the framework itself is not sufficient to define policies. The policies should be based on the organization's specific risks and requirements
Some companies they follow a framework like NIST, CIS etc. Others take elements from each framework, and build their own policies based on their needs. They DONT have to follow a security framework. So this is not the answer. Risk assessment is the answer here.
While a risk management process (option C) is essential for identifying and mitigating security risks, information security policies are typically based on established frameworks that incorporate risk management principles as part of their foundation. Therefore, ensuring that policies are defined primarily based on an information security framework ensures alignment with industry best practices and standards, helping to establish a robust and effective information security program.
C. a risk management process