Certified Information Security Manager (CISM) — Question 1211

To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST:

Answer options

• A. conduct a cost-benefit analysis.
• B. conduct a risk assessment.
• C. interview senior management.
• D. perform a gap analysis.

Correct answer: D

Explanation

The correct answer is D because conducting a gap analysis allows the information security manager to identify the differences between current controls and the new regulatory requirements. The other options, while important, do not provide the immediate clarity on compliance gaps that a gap analysis does.