Certified Information Security Manager (CISM) — Question 1241
Which of the following should be performed FIRST in response to a new information security regulation?
Answer options
- A. Industry benchmarking
- B. Independent audit
- C. Risk assessment
- D. Gap analysis
Correct answer: D
Explanation
The first step in responding to a new information security regulation is to conduct a Gap analysis, as it helps identify the differences between current practices and regulatory requirements. This foundational step informs subsequent actions like audits and risk assessments, while industry benchmarking is less relevant at this initial stage.