Certified Information Systems Auditor (CISA) — Question 580

Which of the following is the FIRST step in initiating a data classification program?

Answer options

• A. Inventory of data assets
• B. Assignment of data ownership
• C. Assignment of sensitivity levels
• D. Risk appetite assessment

Correct answer: A

Explanation

The first step in initiating a data classification program is to conduct an inventory of data assets, as it allows organizations to understand what data they possess before classifying it. The other options, such as assigning ownership or sensitivity levels, depend on having a clear picture of the existing data, which makes them secondary steps.