Certified Information Systems Auditor (CISA) — Question 306

Which of the following is the MOST important activity in the data classification process?

Answer options

• A. Determining accountability of data owners
• B. Labeling the data appropriately
• C. Identifying risk associated with the data
• D. Determining the adequacy of privacy controls

Correct answer: C

Explanation

Identifying risk associated with the data is essential because it helps determine how data should be classified based on its sensitivity and the potential impact of a breach. While accountability, labeling, and privacy controls are important, they all rely on a clear understanding of the associated risks to effectively manage data security.