CISA Question #498: Real Exam Question with Answer & Explanation

Question

During audit planning for the review of an Internet of Things (IoT) implementation program, an IS auditor requests the organization's information risk policy. Which of the following pieces of information would the auditor PRIMARILY expect to find in the policy?

Options

• AThe risk register for associated risks
• BA detailed inventory of vulnerabilities
• CThe defined risk appetite for new technologies
• DGuidelines on implementing security controls

Explanation

An information risk policy is a high-level governance document that defines the organization's philosophy and boundaries around risk - most importantly, its risk appetite: how much risk the organization is willing to accept, especially when adopting new technologies like IoT. This makes C the correct answer, as risk appetite is a foundational policy-level statement that guides all downstream risk decisions.

Why the distractors are wrong:

• A (Risk register): A risk register is an operational artifact that documents specific identified risks - it's an output of the risk management process, not something defined in a policy.
• B (Vulnerability inventory): A detailed vulnerability inventory is a technical/operational deliverable, far too granular for a policy document - this belongs in vulnerability management reports or assessment outputs.
• D (Security control guidelines): Implementation guidelines for security controls belong in standards or procedures, not in a policy. Policies state what and why; procedures state how.

Memory tip: Think of the policy as the "rulebook philosophy" - it sets the appetite and boundaries, not the specifics. A useful mnemonic: Policy = Principles & Parameters (like risk appetite). Registers, inventories, and control guides are all one level below policy in the governance hierarchy.

No community discussion yet for this question.