Certified Information Security Manager (CISM) — Question 1093

When updating the information security policy to accommodate a new regulation, the information security manager should FIRST:

Answer options

• A. review key risk indicators (KRIs).
• B. consult process owners.
• C. update key performance indicators (KPIs).
• D. perform a gap analysis.

Correct answer: D

Explanation

The correct answer is D, as performing a gap analysis allows the information security manager to identify discrepancies between the current policy and the new regulation. Options A, B, and C, while important, are secondary steps that should follow the identification of gaps in compliance.