What should be the PRIMARY focus of an IS auditor when reviewing the development of information security policies?

The primary focus of an IS auditor when reviewing the development of information security policies should be to strike a balance between business and security requirements. This balance is essential because information security policies must not only address the security needs of the organization but also ensure that the business operations can proceed effectively and efficiently. Policies that are overly stringent may hinder business functions and create friction within the organization, while lax policies might expose the organization to unnecessary risks.

Additionally, a well-balanced policy approach helps to foster a culture of security awareness within the organization, as employees are more likely to adhere to policies that take into account the operational realities of their roles. Involving business units in the development process can lead to more practical policies that are readily accepted by staff and produce a stronger security posture.

While adherence to industry best practices and obtaining approval from leadership are important components of policy development, they serve as supporting factors rather than the primary focus. Ensuring policies provide clear directions for implementing security procedures is also crucial, but it is secondary to the need for a harmonious integration of security and business needs.