Certified in Risk and Information Systems Control (CRISC) — Question 840

Before assigning sensitivity levels to information, it is MOST important to:

Answer options

• A. define the information classification policy.
• B. conduct a sensitivity analysis.
• C. identify information custodians.
• D. define recovery time objectives (RTOs).

Correct answer: A

Explanation

The correct answer is A because defining the information classification policy provides the framework necessary to categorize data appropriately. Without this policy, any subsequent actions like sensitivity analysis or identifying custodians would lack direction and consistency. Options B, C, and D are important steps but come after establishing the classification policy.