Exam CISA topic 1 question 1737 discussion

A. Risk assessments of information assets are not periodically performed. This option is of utmost concern because regular risk assessments are fundamental to identifying, evaluating, and mitigating risks associated with information assets. Without periodic risk assessments, the organization may remain unaware of potential vulnerabilities and threats, leading to inadequate protection of sensitive information and increased exposure to security incidents. While both the lack of periodic risk assessments and the absence of executive review of the information security policy are serious concerns, the priority can depend on the specific context and maturity of the organization's governance. However, your emphasis on the necessity of risk assessments highlights a critical aspect of effective information security governance. Both factors should be taken seriously to ensure comprehensive security management.

he absence of an information security policy would be of greatest concern because: Governance can't function effectively without clear guidelines and principles. There's no formalized standard for addressing the risks identified by risk assessments. The organization's security posture lacks direction, potentially leading to inconsistent risk management. Thus, in the scenario you presented, the absence of an information security policy would indeed undermine the entire governance process, making it the greatest concern for an IS auditor assessing the effectiveness of governance.