CISSP · Question #344
Who would be the BEST person to approve an organizations information security policy?
The correct answer is B. Chief Information Security Officer (CISO). The Chief Information Security Officer (CISO) is the most appropriate executive to approve an organization's information security policy due to their direct responsibility for security strategy and governance.
Question
Who would be the BEST person to approve an organizations information security policy?
Options
- AChief Information Officer (CIO)
- BChief Information Security Officer (CISO)
- CChief internal auditor
- DChief Executive Officer (CEO)
How the community answered
(39 responses)- A8% (3)
- B87% (34)
- C3% (1)
- D3% (1)
Why each option
The Chief Information Security Officer (CISO) is the most appropriate executive to approve an organization's information security policy due to their direct responsibility for security strategy and governance.
The Chief Information Officer (CIO) oversees overall IT strategy and operations, but the specialized responsibility for information security policy approval typically resides with the CISO, who focuses solely on security.
The Chief Information Security Officer (CISO) holds ultimate executive responsibility for an organization's information security program, which explicitly includes the development, implementation, and governance of security policies. Approving these policies is a core function ensuring they align with the organization's risk posture and regulatory requirements.
A Chief internal auditor's primary function is to evaluate the effectiveness of policies and controls, not to create or formally approve the policies themselves.
The Chief Executive Officer (CEO) has ultimate organizational authority but typically delegates specific policy approvals to functional heads like the CISO, who possess the domain expertise and direct responsibility for information security.
Concept tested: Information security governance roles and responsibilities
Source: https://learn.microsoft.com/en-us/security/cybersecurity-reference-architecture/security-roles-responsibilities
Topics
Community Discussion
No community discussion yet for this question.