Certified Information Systems Auditor (CISA) — Question 1058

Which of the following is the MOST appropriate procedure for an organization to use when classifying data?

Answer options

• A. Have the information security manager assign data classification levels.
• B. Review data classification questionnaires completed by data owners.
• C. Use results from business impact analyses to classify data.
• D. Publish data classification templates on the corporate intranet.

Correct answer: C

Explanation

Using results from business impact analyses to classify data is the most effective way because it aligns data classification with the potential impact on the organization. The other options, while useful, either rely on individual input (A and B) or are more about accessibility (D) rather than a systematic approach to classification based on risk and impact.