Certified Information Security Manager (CISM) — Question 322

What should a global information security manager do FIRST when informed that a new regulation with significant impact will go into effect soon?

Answer options

• A. Perform a vulnerability assessment.
• B. Perform a business impact analysis (BIA).
• C. Perform a privacy impact assessment.
• D. Perform a gap analysis.

Correct answer: D

Explanation

The correct answer is D, as a gap analysis is essential to identify the differences between current practices and the new regulatory requirements. This step allows the manager to understand what changes are needed to comply with the regulation. The other options, while important, are secondary steps that come after identifying the gaps in compliance.