ExamTopics Logo
Mail Us[email protected]
Menu
Isaca Discussions
exam questions

Exam CISA All Questions

View all questions & answers for the CISA exam
Go to Exam

Exam CISA topic 1 question 210 discussion

Actual exam question from Isaca's CISA
Question #: 210
Topic #: 1
[All CISA Questions]

When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

  • A. an information security framework.
  • B. past information security incidents.
  • C. a risk management process.
  • D. industry best practices.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by 007Georgeo at May 4, 2023, 8:29 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Swallows
1 month, 1 week ago
Selected Answer: A
While a risk management process (option C) is essential for identifying and mitigating security risks, information security policies are typically based on established frameworks that incorporate risk management principles as part of their foundation. Therefore, ensuring that policies are defined primarily based on an information security framework ensures alignment with industry best practices and standards, helping to establish a robust and effective information security program.
upvoted 1 times
...
Yejide03
5 months, 2 weeks ago
Selected Answer: C
C. a risk management process
upvoted 1 times
...
3008
1 year, 1 month ago
Selected Answer: C
c is answer
upvoted 4 times
3008
1 year, 1 month ago
A risk management process: A risk management process is the most appropriate basis for defining information security policies. Risk management involves identifying, analyzing, evaluating, and treating risks. Policies developed through a risk management process are tailored to the organization's specific risks and requirements, and they are designed to reduce the likelihood and impact of security incident
upvoted 3 times
...
...
007Georgeo
1 year, 2 months ago
Selected Answer: A
A. an information security framework.
upvoted 3 times
cidigi
10 months, 3 weeks ago
Some companies they follow a framework like NIST, CIS etc. Others take elements from each framework, and build their own policies based on their needs. They DONT have to follow a security framework. So this is not the answer. Risk assessment is the answer here.
upvoted 1 times
...
3008
1 year, 1 month ago
An information security framework: An information security framework provides a structured approach for developing and implementing information security policies and procedures. However, the framework itself is not sufficient to define policies. The policies should be based on the organization's specific risks and requirements
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago