What is the greatest concern for an IS auditor after a change in the maintenance vendor for critical systems?

The greatest concern for an IS auditor after a change in the maintenance vendor for critical systems is that the new vendor may not know the policies. This option highlights the importance of understanding and adhering to established procedures and policies that govern the management and security of critical systems. When a new vendor takes over, there is a risk that they may not be fully familiar with the organization’s specific policies regarding data protection, system updates, access controls, and incident response protocols.

If the new vendor does not grasp these critical policies, it could result in mismanagement of the systems, leading to vulnerabilities or non-compliance with regulatory standards. This situation could expose the organization to security risks or operational failures, making it essential for the IS auditor to ensure that the new vendor receives comprehensive training and is briefed on all pertinent policies.

The other options, while they may present concerns within the overall context of system maintenance, do not address the immediate challenge of policy adherence and operational knowledge that is crucial for the new vendor's success in managing the critical systems effectively.