CGEIT Question #327: Real Exam Question with Answer & Explanation

Question

Which of the following should be the PRIMARY basis for establishing categories within an information classification scheme?

Options

• AInformation architecture
• BIndustry standards
• CInformation security policy
• DBusiness impact

Explanation

The primary basis for establishing information classification categories should be the business impact that unauthorized disclosure, alteration, or unavailability of that information would have on the organization.

Common mistakes.

• A. Information architecture describes how information is structured and organized, but it does not directly dictate the sensitivity or protective requirements of the information itself for classification purposes.
• B. Industry standards can provide guidelines for classification, but the specific categories and their definitions must be tailored to an organization's unique business impact and risk appetite, rather than simply adopting generic standards.
• C. An information security policy sets the rules and principles for security, including the need for classification, but the policy itself does not establish the basis for defining the classification categories; rather, it mandates that classification be performed based on factors like business impact.

Concept tested. Information classification basis

Reference. https://learn.microsoft.com/en-us/azure/security/fundamentals/data-classification-standard#defining-a-data-classification-scheme

No community discussion yet for this question.