To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review:

A.
the IT infrastructure.

B.
organizational policies, standards and procedures.

C.
legal and regulatory requirements.

D.
the adherence to organizational policies, standards and procedures.

Explanation:
To ensure that the organization is complying with privacy issues, an IS auditor should address legal and
regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the
appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should
evaluate organizational policies, standards and procedures to determine whether they adequately address the
privacy requirements, and then review the adherence to these specific policies, standards and procedures.