In developing information security policies, what should be the primary focus of an IS auditor?

In developing information security policies, the primary focus of an IS auditor should be on balancing business and security requirements. This balance is essential because security policies must not only protect organizational assets and information but also support the organization's objectives, operations, and culture. If the policies become too stringent or misaligned with business needs, it can lead to inefficiencies, hinder business processes, and ultimately undermine the effectiveness of security efforts.

By focusing on the balance between business and security, the IS auditor ensures that security measures are practical, relevant, and integrated into everyday business practices. This approach encourages stakeholder buy-in and compliance, as employees are more likely to adhere to policies that align with their work processes and organizational goals. Thus, achieving this balance helps ensure that security initiatives are sustainable and effective in the long run.