Home โ€บ MCQs โ€บ CISA โ€บ Question #6860
Back to Questions
CISA QUESTION #6860
Question 1
An IS auditor discovers that an organization's information security manager (ISM) also serves as the primary system administrator with full access to all systems. What is the PRIMARY concern?
  • Excessive workload
  • Violation of segregation of dutiesโ€”ISM should oversee controls but not implement/operate themโœ”๏ธ
  • Insufficient staffing
  • Lack of specialization
Correct Answer Explanation
Information security management must be independent of operations to provide objective oversight. When the ISM also serves as system administrator, they effectively oversee their own work, eliminating independent verification of security controls. The ISM should define requirements and audit compliance, not implement and operate systems.