Certified Information Systems Auditor (CISA) — Question 261

What should an IS auditor evaluate FIRST when reviewing an organization’s response to new privacy legislation?

Answer options

• A. Implementation plan for restricting the collection of personal information
• B. Analysis of systems that contain privacy components
• C. Privacy legislation in other countries that may contain similar requirements
• D. Operational plan for achieving compliance with the legislation

Correct answer: D

Explanation

The operational plan is crucial because it outlines how the organization intends to achieve compliance with the new privacy legislation. While the other options are important, they are secondary steps that rely on having a solid operational plan in place first.