CRISC Certified in Risk and Information Systems Control – Question288 - CRISC Certified in Risk and Information Systems Control

Which of the following statements BEST describes policy?

A. A minimum threshold of information security controls that must be implemented
B. A checklist of steps that must be completed to ensure information security
C. An overall statement of information security scope and direction
D. A technology-dependent statement of best practices

Correct Answer: C

Explanation:

Explanation:
A policy is an executive mandate which helps in identifying a topic that contains particular risks to avoid or prevent. Policies are high-level documents signed by a person of high authority with the power to force cooperation. The policy is a simple document stating that a particular high-level control objective is important to the organization’s success. Policies are usually only one page in length. The authority of the person mandating a policy will determine the scope of implementation. Hence in other words, policy is an overall statement of information security scope and direction.
Incorrect Answers:
A, B, D: These are not the valid definitions of the policy.