An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

A. updated frequently.
B. developed by process owners.
C. based on industry standards.
D. well understood by all employees.