Information security policies should be reviewed:

 Reviewing Policies:

Regular reviews ensure that policies remain relevant and effective in addressing evolving threats, business needs, and regulatory requirements.

 Annual Review Importance:

Engages stakeholders in the process, ensuring alignment with business and operational needs.

Identifies and addresses gaps or outdated provisions.

 Why Other Options Are Incorrect:

B. By CISO for new systems: Focuses on operational changes, not policy lifecycle.

C. By Incident Response Team post-audit: Incident reviews focus on specific findings, not comprehensive policy updates.

D. By internal audit semiannually: Audits ensure compliance but don’t replace stakeholder reviews.

 References:

ISO 27001 and EC-Council emphasize the importance of annual policy reviews involving key stakeholders to maintain security relevance and effectiveness.