Thank you both for your replies!

I agree.

I noticed ChatGPT said during the store phase. So, I wanted to double check.

The official online curriculum also says during the create phase.

ChatGPT

I have a slightly different thought on when Data should be Classified.  I believe that data should be classified at is creation/collection however is should be reviewed periodically to potential reclassify data in light of compliance requirements, organisational changes , or even as the data is being used in new applications.

d

I very much like and agree with your take on it @dcontesti 

Thank you for your very thoughtful reply!

I agree that reviewing and reclassifying based on compliance and organizational changes and any additional insight one may gain after the original classification during creation/collection is of utmost importance to the data life cycle. And that moving to new systems would be another good place to check on the correct classification.

And creation/collection is certainly more complete than simply creation.

Thanks again for your input!

@nkeaton you are correct in that if you do the tasks on a regular basis, you might not answer according to ISC2, instead, answer from experience, and get a few questions wrong.

I do double check on some concepts that I feel uncertain about.

Thank you for your reply!

I am glad I posted my question to this forum.

I use Collection as data may "travel" throughout an organisation,  Take for example:  Data related to the weight of a specific product, while in the production area, that data, may be classified as Internal, however if the Financial department now requires that piece of data as part of their reporting, the classification could change to be "confidential" as it may be combined with other data.  It may not change, but the receiving department is now the Data Owner and needs to classify it.  

As to (ISC)2 being the expert, I tend to disagree.  Most materials, the organisation puts together are done by volunteers.  Exams as an example are developed by a group of knowledgeable individuals.  The questions and distractors are discussed and a consensus is reached.  This is why most exams include pre-test items (let's see how they perform) and if they make it to the exam, the questions again are reviewed based on candidate comments and the stats related to the item.  Additionally, some topics are very difficult to put into question format.  If you ever have the good fortune to participate in developing exams (a great experience that helps expand your knowledge base and also a great networking opportunity), you may find yourself in a position, that you can write a question and develop three distractors but not be able to find the fourth (not always the easiest job).

If I based my work on everything that I see or read, I potentially might not have my job very long.  At times, we need to rely on experience but during an exam, we need to rely on what we have seen in a book or a video.  As an example, we recently saw that here on the forum, where a question on Cloud Security was brought into question and we were told, that "training" is now under review for rewrite.

Again, MHO

d

@dcontesti thank you again for your reply!

I like how you defined collection. I had not thought of it quite in that manner before.

I was the one who questioned crypto shredding earlier. And I wondered how that got into the official curriculum as it was written in multiple locations.

I am glad ISC2 is taking a second look at that topic in their curriculum.

It is also true that 'textbook' know-how may not be the 'right' thing to do on the job. And in our ever changing world, the written curriculum may very well be far behind times. But, it is also true that that is what the exam requires of us to know.

I am sure exam writing is a very interesting experience for all involved! I always wonder how certain questions are formulated!