Certified Information Systems Auditor (CISA) — Question 629

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Answer options

• A. Legal and compliance requirements
• B. Customer agreements
• C. Data classification
• D. Organizational policies and procedures

Correct answer: A

Explanation

The IS auditor should first examine legal and compliance requirements as they establish the regulatory framework that governs data privacy. While customer agreements, data classification, and organizational policies are important, they are secondary to understanding the legal obligations that dictate how customer data must be handled.