Certified Information Security Manager (CISM) — Question 913

Which of the following should be done FIRST when developing an information asset classification policy?

Answer options

• A. Identify accountability for information assets throughout the organization.
• B. Establish the criteria that define an asset's classification level.
• C. Identify existing security measures for protecting assets.
• D. Obtain executive input to identify high-value assets to be classified.

Correct answer: A

Explanation

The first step in developing an information asset classification policy is to identify accountability for information assets throughout the organization (Option A), as this establishes who will manage and oversee the classification process. Options B, C, and D are important but come after accountability has been established; without clear accountability, criteria, existing measures, and executive input may not be effectively implemented.