The initial step in establishing an information security program is the:

A.
development and implementation of an information security standards manual.

B.
performance of a comprehensive security control review by the IS auditor.

C.
adoption of a corporate information security policy statement.

D.
purchase of security access control software.

Explanation:

A policy statement reflects the intent and support provided by executive management for proper
security and establishes a starting point for developing the security program.