In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:

A.
implementation.

B.
compliance.

C.
documentation.

D.
sufficiency.

Explanation:
An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of
controls. Documentation, implementation and compliance are further steps.