You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are collaborating with auditors to facilitate auditing activities to ensure compliance with information security policy. Which of the following is least commonly adopted?
A. Employing the Delphi method
B. Interviewing with senior management
C. Reviewing data backup policy
D. Sending questionnaires to the target group
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Employing the Delphi method.
There are three common audit methods: examination, interviewing, and testing.
- Interviewing with senior management is common, especially in a certification audit.
- Reviewing the data backup policy is one form of examination.
- Sending questionnaires to the target group is also commonly used in an audit program, especially for self-assessment.
Delphi method is not as commonly used as the other three options. It is featured by experts, anonymous questionnaires, and consensus.
The Delphi method is a forecasting process framework based on the results of multiple rounds of questionnaires sent to a panel of experts. Several rounds of questionnaires are sent out to the group of experts, and the anonymous responses are aggregated and shared with the group after each round. The experts are allowed to adjust their answers in subsequent rounds, based on how they interpret the “group response” that has been provided to them. Since multiple rounds of questions are asked and the panel is told what the group thinks as a whole, the Delphi method seeks to reach the correct response through consensus.