CISA Certified Information Systems Auditor – Question0376

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

A.
updated frequently.
B. developed by process owners.
C. based on industry standards.
D. well understood by all employees.

Correct Answer: D