Based on scenario 2. the cybersecurity policy was approved by senior management. Is this appropriate?

Testing, monitoring, and improvement

With this program, the company aimed to strengthen the resilience of the digital infrastructure through advanced threat detection, real time monitoring, and proactive incident response. Additionally, it decided to droit a comprehensive and clear cybersecurity policy as part of its overall cybersecurity program The drafting process involved conducting a thorough research and analysis of existing cybersecurity frameworks Once the initial draft was prepared, the policy was reviewed, and then approved by senior management. After finalizing the cybersecurity policy, EuroTech Solutions took a proactive approach to its initial publication. The policy was communicated to all employees through various channels, including internal communications, employee training sessions, and the company’s intranet network.

Based on the scenario above, answer the following question

Based on scenario 2. the cybersecurity policy was approved by senior management. Is this appropriate?
A . Yes, the cybersecurity policy must be approved by the management
B . No, the cybersecurity policy must be approved only by the CEO
C . No, the cybersecurity policy must be approved only by the security governance committee

View Answer

Answer: A

Explanation:

The approval of the cybersecurity policy by senior management is appropriate and aligns with best practices in cybersecurity governance. Management approval ensures that the policy is given the necessary authority and support for effective implementation. This practice is crucial for demonstrating top-level commitment to cybersecurity within the organization.

ISO/IEC 27001 requires that the information security policy is approved by management to ensure alignment with the organization’s objectives and regulatory requirements. Similarly, NIST SP 800-53 and other standards emphasize the role of senior management in approving and endorsing security policies to ensure they are effectively implemented and enforced.

Reference: ISO/IEC 27001:2013 – Specifies that top management must establish, approve, and communicate the information security policy to ensure organizational alignment and support.

NIST SP 800-53 – Highlights the importance of management’s role in establishing and approving security policies and procedures to ensure their effective implementation.