CISA Certified Information Systems Auditor – Question0402

Which of the following is the BEST source of information for an IS auditor to use when determining whether an organization's information security policy is adequate?

A.
Industry benchmarks
B. Information security program plans
C. Penetration test results
D. Risk assessment results

Correct Answer: D