Certified Information Security Manager (CISM) — Question 161

An organization faces severe fines and penalties if not in compliance with local regulatory requirements by an established deadline. Senior management has asked the information security manager to prepare an action plan to achieve compliance. Which of the following would provide the MOST useful information for planning purposes?

Answer options

• A. Results from a business impact analysts (BIA)
• B. Results from a gap analysis
• C. An inventory of security controls currently in place
• D. Deadlines and penalties for noncompliance

Correct answer: B

Explanation

The results from a gap analysis (B) are crucial as they identify the discrepancies between current practices and regulatory requirements, helping to shape the action plan. While a business impact analysis (A) and an inventory of security controls (C) provide useful context, they do not directly address compliance gaps. Deadlines and penalties (D) are important but do not inform the necessary steps to achieve compliance.