Certified in the Governance of Enterprise IT (CGEIT) — Question 231

An enterprise has learned of a new regulation that may impact delivery of one of its core technology services. Which of the following should be done FIRST?

Answer options

• A. Request an action plan from the risk team.
• B. Determine whether the board wants to comply with the regulation.
• C. Assess the risk associated with the new regulation.
• D. Update the risk management framework.

Correct answer: C

Explanation

The first step should be to assess the risk associated with the new regulation, as understanding the potential impacts is crucial before taking further actions. Without this assessment, the organization cannot effectively determine how to comply or what actions to take next. The other options are premature and rely on information that can only be gathered after the risk assessment is completed.