Exam CISA topic 1 question 305 discussion

Direct Indicator of Policy Gaps: A significant increase in audit findings directly indicates that there are weaknesses or deficiencies in the current cybersecurity controls, which are often tied to the policy itself. It suggests that the policy may not be adequately addressing security requirements or is not being implemented effectively. Focus on Effectiveness: Audit findings assess the effectiveness of controls and policies, making this the most direct indicator that the policy may need revision to address identified issues and improve overall security posture.

D is right

A significant increase in external attack attempts is typically a more direct and urgent signal that the policy may no longer adequately address the evolving security challenges posed by external threats. It highlights the need for proactive policy revisions to strengthen the organization's cybersecurity defenses.

When exceptions become more frequent, it suggests that the policy is not meeting the needs of the organization, and employees are finding ways to work around it. This may indicate that the policy is too strict, difficult to follow, or not aligned with business needs. As a result, the policy needs to be revised to better align with the needs of the organization while still providing adequate protection against cyber threats.

i think the answer is D. In the option B, the audit finding does not always mean the policy is not sufficient and need to udpate. However, the increasing of exception approval means that the policy is not cover all aspect hence exception approval is required.

B seems to be the right answer. A significant increase in cybersecurity audit findings