cisa-d2-governance-management-data-governance-and-classification

Data Governance and Classification

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Data Governance and Classification

Data Governance and Classification is the formal framework of authority, policies, roles, and processes by which an organization manages its data assets throughout their lifecycle. Data governance establishes WHO holds decision-making authority over data, WHAT rules govern data handling, and HOW compliance with those rules is enforced and measured. Data classification is governance made operational: each data asset is assigned to a defined sensitivity tier—typically Public, Internal, Confidential, or Restricted—based on its regulatory context, business sensitivity, and potential harm from unauthorized disclosure, alteration, or loss. Together, they ensure the right people have the right access to the right data, with appropriate protections in place. Data governance (the policy and authority framework) is distinct from data management (the operational execution of storage, integration, and quality tasks)—a distinction ISACA specifically tests on the CISA exam.

Where it stops · what it isn't

—IS: Policies, roles, classification schemas, accountability structures, and oversight mechanisms for data assets across their full lifecycle
—IS: Integration of data classification with risk management, access control, and regulatory compliance programs
—IS NOT: Data management operations (ETL, database administration, backup/recovery)—these are execution activities the framework governs, not governance itself
—IS NOT: Information security controls alone (encryption, DLP tools)—these are enabling technologies that classification tiers require, not the governance framework
—IS NOT: A one-time project—data governance is a continuous capability requiring sustained organizational commitment
—IS NOT: Applicable only to regulated industries—any organization handling personal, financial, or proprietary data carries governance obligations
—BOUNDARY: Data governance provides the structural framework within which legal counsel and compliance functions operate; it does not replace them

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Governance and Management of IT (ISACA CISA Domain 2)

REQUIRES

Data Asset Inventory and DiscoveryEnterprise Risk Management (ERM)

ENABLES

Regulatory Compliance (GDPR, HIPAA, GLBA, SOX, CCPA)Access Control and Identity ManagementData Retention and Lifecycle ManagementIncident Response and Breach Notification

RELATED TO

IT Governance and StrategyInformation Security Governance

CONSTRAINS

Data Democratization and Analytics Access

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.