In an organization where an IT security baseline has been defined, an IS auditor should FIRST
ensure:
A.
implementation.
B.
compliance.
C.
documentation.
D.
sufficiency.
Explanation:
An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the
sufficiency of controls. Documentation, implementation and compliance are further steps.