A security architect is designing a data classification schema for a multinational corporation. Which combination of factors is MOST critical for determining the classification level of a data asset?
These are the core factors in determining classification.
Why this answer
The classification level of a data asset is primarily determined by the potential harm that could result from its unauthorized disclosure, modification, or loss. Legal, regulatory, and business impact factors—such as compliance with GDPR, HIPAA, or PCI DSS—directly dictate the required confidentiality, integrity, and availability controls. Without assessing these impacts, any classification scheme would be arbitrary and fail to align with organizational risk tolerance.
Exam trap
ISACA often tests the misconception that technical attributes (like encryption or storage location) determine classification, when in reality classification is a business-driven risk decision based on the impact of disclosure.
How to eliminate wrong answers
Option A is wrong because data volume and storage location influence operational decisions (e.g., replication, latency) but do not define the sensitivity or criticality of the data itself; a single record of PII can be far more sensitive than terabytes of public data. Option B is wrong because data format and encryption status are technical controls applied after classification, not criteria for determining the classification level; encryption status can change without altering the inherent sensitivity of the data. Option C is wrong because creation date and last access time are metadata useful for lifecycle management (e.g., retention policies) but irrelevant to the intrinsic value or risk of the data asset.