Certified in Risk and Information Systems Control (CRISC) Practice Test

A policy serves as a clear directive control because it establishes guidelines, expectations, and requirements for behavior within an organization. Directive controls aim to ensure that the organization's objectives are met by providing a framework within which individuals operate. Policies outline how processes should be conducted, the roles and responsibilities of personnel, and the actions to be taken in various scenarios, thereby inducing compliance and guiding decision-making.

In contrast, options like a surveillance system, a firewall, and an intrusion detection system function as preventive or detective controls rather than directive controls. These options primarily focus on monitoring and protecting the information systems rather than providing a set of protocols or behaviors that individuals within the organization should follow. Thus, a policy is the most fitting example of a directive control, as it directly influences the actions of individuals in alignment with the organization’s risk management strategy.