In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:

A. implementation.

B. compliance.

C. documentation.

D. sufficiency.

Explanation:

An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of controls. Documentation, implementation and compliance are further steps.