A data classification policy is a plan that helps an organization determine the risk tolerance and security requirements for its data assets. A data classification policy separates data into different categories based on its sensitivity, such as public, private, or restricted. A data classification policy should be established first so that data owners can consistently assess the level of data protection needed across the enterprise, as it helps them to identify the types and locations of data they own, the potential threats and impacts of data breaches, and the appropriate security controls and measures to safeguard their data. A data classification policy also helps to ensure compliance with regulatory and legal obligations, as well as to optimize data management and governance practices. References: CGEIT Exam Content Outline | ISACA1, CGEIT Review Manual (Digital Version), Data Classification Policy: Benefits, Examples, and Techniques2, Why data classification is important for security | Infosec3