nerdexam
(ISC)2

CISSP · Question #863

In order for a security policy to be effective within an organization, it MUST include

The correct answer is D. disciplinary measures for non compliance.. Security Policy Effectiveness Disciplinary measures for non-compliance are essential because a policy without enforceable consequences has no real authority - employees are far less likely to follow rules when there is no accountability or risk of punishment. A security policy on

Submitted by khalil_dz· Mar 5, 2026Security and Risk Management

Question

In order for a security policy to be effective within an organization, it MUST include

Options

  • Astrong statements that clearly define the problem.
  • Ba list of all standards that apply to the policy.
  • Cowner information and date of last revision.
  • Ddisciplinary measures for non compliance.

How the community answered

(25 responses)
  • B
    4% (1)
  • C
    4% (1)
  • D
    92% (23)

Explanation

Security Policy Effectiveness

Disciplinary measures for non-compliance are essential because a policy without enforceable consequences has no real authority - employees are far less likely to follow rules when there is no accountability or risk of punishment. A security policy only becomes truly effective when people understand there are real repercussions for violating it, making enforcement the critical component that transforms a document into a functional control.

Why the distractors fall short:

  • Option A (strong problem statements) is helpful for clarity but doesn't enforce compliance - a well-written policy that no one follows is still ineffective.
  • Option B (list of standards) is a best practice for documentation but is supplementary, not a must-have for effectiveness.
  • Option C (owner info and revision date) supports governance and maintenance but is an administrative detail, not what drives people to actually follow the policy.

Memory Tip: Think of it like a speed limit sign - clearly written (A), referenced in law books (B), and dated (C), but drivers only slow down because of the fine (D). No consequence = no compliance.

Topics

#Security Policy#Policy Enforcement#Governance#Compliance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice