Which of the following is the BEST source of information for an IS auditor to use when determining whether an organization's information security policy is adequate?
A. Industry benchmarks
B. Information security program plans
C. Penetration test results
D. Risk assessment results
A. Industry benchmarks
B. Information security program plans
C. Penetration test results
D. Risk assessment results