Certified in the Governance of Enterprise IT (CGEIT) — Question 183
Which of the following should be done FIRST when defining responsibilities for ownership of information and systems?
Answer options
- A. Require an inventory of information assets.
- B. Identify systems that are outsourced.
- C. Require an information risk assessment.
- D. Ensure information is classified.
Correct answer: A
Explanation
The correct answer is A, as creating an inventory of information assets is foundational for understanding what needs to be managed and protected. Identifying outsourced systems (B), conducting a risk assessment (C), and classifying information (D) are important steps but should follow after establishing a clear inventory.