nerdexam
(ISC)2

CISSP · Question #344

Who would be the BEST person to approve an organizations information security policy?

The correct answer is B. Chief Information Security Officer (CISO). The Chief Information Security Officer (CISO) is the most appropriate executive to approve an organization's information security policy due to their direct responsibility for security strategy and governance.

Submitted by yasin.bd· Mar 5, 2026Security and Risk Management

Question

Who would be the BEST person to approve an organizations information security policy?

Options

  • AChief Information Officer (CIO)
  • BChief Information Security Officer (CISO)
  • CChief internal auditor
  • DChief Executive Officer (CEO)

How the community answered

(39 responses)
  • A
    8% (3)
  • B
    87% (34)
  • C
    3% (1)
  • D
    3% (1)

Why each option

The Chief Information Security Officer (CISO) is the most appropriate executive to approve an organization's information security policy due to their direct responsibility for security strategy and governance.

AChief Information Officer (CIO)

The Chief Information Officer (CIO) oversees overall IT strategy and operations, but the specialized responsibility for information security policy approval typically resides with the CISO, who focuses solely on security.

BChief Information Security Officer (CISO)Correct

The Chief Information Security Officer (CISO) holds ultimate executive responsibility for an organization's information security program, which explicitly includes the development, implementation, and governance of security policies. Approving these policies is a core function ensuring they align with the organization's risk posture and regulatory requirements.

CChief internal auditor

A Chief internal auditor's primary function is to evaluate the effectiveness of policies and controls, not to create or formally approve the policies themselves.

DChief Executive Officer (CEO)

The Chief Executive Officer (CEO) has ultimate organizational authority but typically delegates specific policy approvals to functional heads like the CISO, who possess the domain expertise and direct responsibility for information security.

Concept tested: Information security governance roles and responsibilities

Source: https://learn.microsoft.com/en-us/security/cybersecurity-reference-architecture/security-roles-responsibilities

Topics

#Security policy approval#CISO roles#Information governance#Organizational roles

Community Discussion

No community discussion yet for this question.

Full CISSP Practice