During an information security audit of a mid-sized organization, an IS auditor notes that the organization's information security policy is not sufficient. What is the auditor's BEST recommendation for the organization?
A.
Obtain an external consultant's support to rewrite the policy.
B.
Identify and close gaps compared to a best-practice framework.
C.
Perform a benchmark with competitors’ policies.
D.
Define roles and responsibilities for regularly updating the policy.
While defining roles and responsibilities for regularly updating the policy (Option D) is also important for ensuring the policy remains current and relevant, it does not address the immediate need to enhance the policy to meet recognized standards and best practices. Therefore, identifying and closing gaps compared to a best-practice framework (Option B) is the BEST recommendation for addressing the insufficient information security policy.
upvoted 1 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Swallows
1 month, 2 weeks ago