Certified Information Security Manager (CISM) — Question 667

Which of the following needs to be established FIRST in order to categorize data properly?

Answer options

• A. A data protection policy
• B. A data flow diagram
• C. A data classification framework
• D. A data custodian

Correct answer: C

Explanation

The correct answer is C, as a data classification framework provides the necessary structure and guidelines for categorizing data effectively. Without this framework, it would be challenging to implement a data protection policy, create a data flow diagram, or define the role of a data custodian effectively.