CISA Certified Information Systems Auditor – Question0509

The CIO of an organization is concerned that the information security policies may not be comprehensive. Which of the following should an IS auditor recommend be performed FIRST?

A.
Obtain a copy of their competitor’s policies.
B. Determine if there is a process to handle exceptions to the policies.
C. Establish a governance board to track compliance with the policies.
D. Compare the policies against an industry framework.

Correct Answer: C