Certified Information Security Manager (CISM) — Question 164

Which of the following should an information security manager do FIRST when assessing conflicting requirements between the global organization's security standards and local regulations?

Answer options

• A. Conduct a gap analysis against local regulations.
• B. Perform a cost-benefit analysis of compliance.
• C. Create a local version of the organizational standards.
• D. Prioritize the organizational standards over local regulations.

Correct answer: A

Explanation

The correct answer is A, as conducting a gap analysis helps identify the differences between the organization's security standards and local regulations, which is essential for resolving conflicts. Options B and C are secondary actions that depend on the findings of the gap analysis, while D is not advisable since it could lead to non-compliance with local laws.