In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:
A. implementation.
B. compliance.
C. documentation.
D. sufficiency.
Explanation:
An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of controls. Documentation, implementation and compliance are further steps.