Determining Employee Understanding: Organization's Information Security Policy

B.

As an IS auditor, the most effective way to determine whether employees understand the organization's information security policy is to review the organization's employee training log. This log should contain records of all training sessions attended by employees, including information security training.

By reviewing the training log, the auditor can determine whether all employees have received information security training and identify any gaps in employee training. The auditor can also verify the quality and effectiveness of the training provided and assess whether it adequately covers the organization's information security policy.

While ensuring that the policy is current and communicated throughout the organization is important, it does not necessarily guarantee that employees understand the policy. Simply surveying employees may also not provide an accurate representation of their understanding of the policy, as responses may be biased or inconsistent.

Therefore, the review of the employee training log is the best option for an IS auditor to assess employee understanding of the organization's information security policy.