An organization has recently installed a security patch, which crashed the production server. To minimize the
probability of this occurring again, an IS auditor should:

A.
apply the patch according to the patch’s release notes.

B.
ensure that a good change management process is in place.

C.
thoroughly test the patch before sending it to production.

D.
approve the patch after doing a risk assessment.

Explanation:
An IS auditor must review the change management process, including patch management procedures, and
verify that the process has adequate controls and make suggestions accordingly. The other choices are part of
a good change management process but are not an IS auditor’s responsibility.