An external auditor has found that IT security policies in the organization are not maintained and in
some cases are nonexistent. As a result of the audit findings, the CISO has been tasked with the
objective of establishing a mechanism to manage the lifecycle of IT security policies. Which of the
following can be used to BEST achieve the CISO’s objectives?

A.
CoBIT

B.
UCF

C.
ISO 27002

D.
eGRC