Which of the following choices is NOT normally part of the questions that would be asked in regards to an
organization’s information security policy?

A.
Who is involved in establishing the security policy?

B.
Where is the organization’s security policy defined?

C.
What are the actions that need to be performed in case of a disaster?

D.
Who is responsible for monitoring compliance to the organization’s security policy?

Explanation:
The actions that need to be performed in case of a disaster are defined in the risk management policy, not the
information security policy.
An information security policy should determine who is involved in establishing the security policy, where the
organization’s security policy is defined and who is responsible for monitoring compliance to the organization’s
security policy.
Incorrect Answers:
A: An information security policy should determine who is involved in establishing the security policy.
B: An information security policy should determine where the organization’s security policy is defined.
D: An information security policy should determine who is responsible for monitoring compliance to the
organization’s security policy.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 102