Certified Information Security Manager (CISM) — Question 306

An organization has purchased an Internet sales company to extend the sales department. The information security manager's FIRST step to ensure the security policy framework encompasses the new business model is to:

Answer options

• A. perform a gap analysis.
• B. implement both companies' policies separately.
• C. merge both companies' policies.
• D. perform a vulnerability assessment.

Correct answer: A

Explanation

The correct answer is A, as performing a gap analysis helps identify discrepancies between existing security policies and the requirements of the new business model. Options B and C would not address the need for a comprehensive review, and D focuses on identifying vulnerabilities rather than aligning policies.