| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
Data Governance & Classification
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series introduces the principles of data governance and classification. It examines why classification must come before protection, how ownership and labeling schemes work, the lawful bases for processing personal data, the rights individuals hold over their information, and the regulatory challenges that arise when data moves across borders.
What this episode covers
- Classification before protection β why a detailed information asset inventory must come first, and how classification enables cost-effective, consistent security controls.
- Information ownership and scheme design β who makes classification decisions and what a simple, practical sensitivity scheme defines for each asset.
- Labeling and its importance β how labels drive consistent handling, prevent accidental disclosure, and separate production data from test data.
- Common classification levels β the typical four-level scheme from public through internal and confidential to restricted, with escalating controls at each level.
- Classification and privacy work β how a master data inventory supports privacy assessments and must be managed jointly with privacy governance.
- Lawful bases for processing β legal purpose, consent, and legitimate interest as the three recognized grounds for handling personal data.
- Individual rights and transborder data flows β the rights data subjects hold, the obligations they create, and the regulatory complexity when data crosses international borders.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
Why must data be classified before it can be protected?
Classification starts with a detailed inventory of information assets, which is the only way to know what you have and how much protection each item needs. Assets differ in sensitivity and criticality, so assigning classifications lets you set the right access controls, keep protection consistent across the enterprise, and avoid overspending to guard data that barely matters.
Who decides the data classification, and what does a good scheme look like?
The information owner makes the classification decision, following the enterprise classification and handling policy. A good scheme keeps the number of levels simple, typically between three and five, and defines the importance, ownership, access approval process, and depth of security controls for each asset, while accounting for legal and regulatory requirements.
What are the three lawful bases for processing personal data?
The three common lawful bases are legal purpose, meaning you must state why you collect the data and stick to that purpose; consent, meaning you obtain proper permission before collecting or reusing the data; and legitimate interest, meaning your valid business need can serve as the basis when it does not override the personβs rights.
What risks arise when data crosses national borders?
Transborder data flow means data moving between countries, and both the origin and destination countries may have applicable laws covering legal compliance, security, integrity, and privacy. Because internet routing is not fixed, data may cross a border unexpectedly, and some countries mandate encryption for data in transit, so monitoring data flows and involving legal counsel is essential.
π Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Data Governance & Classification.