Certified Information Systems Auditor (CISA) — Question 291

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Answer options

• A. Determine which databases will be in scope.
• B. Identify the most critical database controls.
• C. Evaluate the types of databases being used.
• D. Perform a business impact analysis (BIA).

Correct answer: A

Explanation

The first step in the preliminary planning phase is to determine which databases are included in the review, as this sets the foundation for all subsequent activities. Identifying critical controls and evaluating types of databases are important but should be done after establishing the scope. A business impact analysis (BIA) is also essential but is typically conducted later in the process to understand the implications of database security risks.