Certified in Risk and Information Systems Control (CRISC) — Question 308

Which of the following should be done FIRST
when developing a data protection management plan?

Answer options

• A. Identify critical data.
• B. Conduct a risk analysis.
• C. Perform a cost-benefit analysis.
• D. Establish a data inventory.

Correct answer: D

Explanation

Establishing a data inventory is crucial as it provides a comprehensive overview of the data that needs protection. Without knowing what data exists, performing risk analyses or cost-benefit assessments may not be effective. The other options are important but should follow the identification of data assets.