CISA Certified Information Systems Auditor – Question2257

The initial step in establishing an information security program is the:

A.
development and implementation of an information security standards manual.
B. performance of a comprehensive security control review by the IS auditor.
C. adoption of a corporate information security policy statement.
D. purchase of security access control software.

Correct Answer: C

Explanation:

Explanation:
A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.