Certified Information Security Manager (CISM) — Question 128

A new regulatory requirement affecting an organization's information security program is released. Which of the following should be the information security manager's FIRST course of action?

Answer options

• A. Conduct benchmarking
• B. Perform a gap analysis
• C. Notify the legal department
• D. Determine the disruption to the business

Correct answer: B

Explanation

The correct answer is B, as performing a gap analysis allows the information security manager to identify the discrepancies between current practices and the new requirements. Conducting benchmarking (A) is not immediately necessary, notifying the legal department (C) can follow after understanding the gaps, and determining the disruption to the business (D) is a secondary concern after assessing compliance needs.