Isaca Certified Information Systems Auditor CISA Question # 123 Topic 13 Discussion

CISA Exam Topic 13 Question 123 Discussion:

Question #: 123

Topic #: 13

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

IT steering committee minutes

Business objectives

Alignment with the IT tactical plan

Compliance with industry best practice

Get Premium CISA Questions

Explanation

The most important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy is the business objectives. An information security policy is a document that defines the organization’s approach to protecting its information assets from internal and external threats. It should align with the organization’s mission, vision, values, and goals, and support its business processes and functions1. An informationsecurity policy should also be focused on the business needs and requirements of the organization, rather than on technical details orspecific solutions2.

The other options are not as important as the business objectives, because they do not directly reflect the organization’s purpose and direction. IT steering committee minutes are records of the discussions and decisions made by a group of senior executives who oversee the IT strategy and governance of the organization. They may provide some insights into the information security policy, but they are not sufficientto evaluate its adequacy3. Alignment with the IT tactical plan is a measure of how well the information security policy supports the short-term actions and projects that implement the IT strategy. However, the IT tactical plan itself shouldbe aligned with the business objectives, and not vice versa4. Compliance with industry best practice is a desirable quality of an information security policy, but it is not a guarantee of its effectiveness or suitability for the organization. Industry best practices are general guidelines or recommendations that may not apply to every organization or situation. An information security policy should be customized and tailored to the specific context and needs of the organization. References:

The 12 Elements of an Information Security Policy | Exabeam1

11 Key Elements of an Information Security Policy | Egnyte2

What is an IT steering committee? Definition, roles & responsibilities …3

What is IT Strategy? Definition, Components & Best Practices | BMC …4

IT Security Policy: Key Components & Best Practices for Every Business

Actual exam question for Isaca CISA exam by Echo4220 at Aug 3, 2025, 12:00:00 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified Information Systems Auditor CISA Question # 123 Topic 13 Discussion

Isaca Certified Information Systems Auditor CISA Question # 123 Topic 13 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified Information Systems Auditor CISA Question # 123 Topic 13 Discussion

Isaca Certified Information Systems Auditor CISA Question # 123 Topic 13 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval