A new CISO just started with a company and on the CISO's desk is the last complete Information Security Management audit report. The audit report is over two years old. After reading it, what should be the CISO's FIRST priority?
A.
Have internal audit conduct another audit to see what has changed.
B.
Contract with an external audit company to conduct an unbiased audit
C.
Review the recommendations and follow up to see if audit implemented the changes
D.
Meet with audit team to determine a timeline for corrections
Upon starting a new role, the CISO’s first task is to understand the current security posture by evaluating existing reports, audits, and documentation.
The two-year-old audit report provides a starting point to identify gaps and determine if previous recommendations were implemented.
Why Following Up on Audit Recommendations is the First Priority:
Ensures critical findings from the previous audit have been addressed, which could mitigate potential risks.
Provides insight into the organization’s ability to act on audit findings and close gaps effectively.
Highlights areas where improvements are still needed.
Why Other Options Are Incorrect:
A. Conduct another internal audit: Premature; following up on the existing audit is more immediate and actionable.
B. Contract with an external audit company: Adds cost and delays addressing known issues.
D. Meet with the audit team for corrections timeline: Important but secondary to verifying the status of previous recommendations.
References:EC-Council emphasizes the importance of evaluating and following up on past audit findings as a foundational step for a CISO in assessing the current security environment.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit