Certified Information Systems Auditor (CISA) — Question 287

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure in the affected country. Which of the following would be MOST helpful in making this assessment?

Answer options

• A. Identifying data security threats in the affected jurisdiction
• B. Reviewing data classification procedures associated with the affected jurisdiction
• C. Identifying business processes associated with personal data exchange with the affected jurisdiction
• D. Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

Correct answer: C

Explanation

The correct answer is C because understanding the specific business processes that involve personal data exchange provides insight into the potential risks and exposure due to the new regulation. Options A and B focus on threats and procedures but do not directly address the operational aspects of data exchange. Option D, while useful, does not provide the detailed operational context that C does.