Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
The most important consideration for an IS auditor when assessing the adequacy of an organization's information security policy is whether it aligns with the business objectives. An information security policy must support and protect the critical assets, data, and operations of the organization in alignment with its overall business goals and priorities. This ensures that the policy addresses specific risks and threats faced by the business operations, and helps in achieving the strategic objectives while maintaining the confidentiality, integrity, and availability of information assets.
A. Business objectives
While alignment with the IT tactical plan (option B) is important for ensuring that the information security policy supports the organization's IT goals and strategies, ultimately, the information security policy should align with and support the broader business objectives of the organization. The information security policy should be designed to protect the organization's critical assets, data, and operations in alignment with its business goals and priorities. It should address the specific risks and threats faced by the organization's business operations and support the achievement of strategic objectives while maintaining the confidentiality, integrity, and availability of information assets.