A privacy protection policy is primarily intended to make personnel aware of the organization’s responsibilities and rules for handling personal information in accordance with applicable laws, regulations, and contractual obligations. ISACA privacy guidance consistently frames privacy as a compliance-driven and accountability-driven discipline, centered on the proper collection, use, storage, sharing, and protection of personal data under applicable legal requirements.
Option C is therefore the best answer because a privacy policy’s core purpose is not just technical protection, but ensuring that employees understand the legal and regulatory requirements governing personal information. ISACA notes that modern privacy programs are strongly shaped by regulations such as GDPR and similar laws, which impose explicit obligations on organizations that collect and process personal data. A privacy protection policy helps communicate those obligations internally.
Option A is incorrect because cybercrime awareness belongs more to a general information security awareness program than to the primary purpose of a privacy protection policy. Privacy and cybersecurity overlap, but privacy policy is specifically about lawful and proper handling of personal information, not general awareness of network-targeting crimes.
Option B is incorrect because encryption is only one possible control for protecting personal data. A privacy policy may mention encryption, but its primary purpose is broader: defining privacy obligations, rights, responsibilities, and compliance expectations. Technical controls support the policy; they are not the policy’s central awareness objective.
Option D is also incorrect because system configuration procedures belong to technical standards, baselines, or operating procedures. A privacy protection policy is a governance-level document that sets expectations regarding personal information protection and legal compliance, rather than detailing system configuration steps.
For CISA-style reasoning, when a question asks for the primary objective of a privacy policy, the best answer is the one that addresses the organization’s obligation to protect personal data in accordance with legal requirements. That makes C the strongest and most defensible answer.
References (Official ISACA):
ISACA Privacy Resource Center — privacy guidance focused on compliance and privacy program obligations.
ISACA, The Evolving World of Data Privacy: Trends and Strategies — discusses legal obligations such as GDPR requirements for personal data protection.
ISACA Privacy Notice — reflects the role of applicable law in handling personal data.
ISACA Journal, Creating a Compliant and Accountable Data Culture — emphasizes accountability and compliance in data privacy.
Submit