Certified Information Security Manager (CISM) — Question 327

A new law requires an organization to implement specific security controls. Which of the following should the information security manager do FIRST?

Answer options

• A. Integrate the new requirements into the security policy.
• B. Perform a gap analysis on the new requirements.
• C. Develop a control implementation plan.
• D. Assess the risk of noncompliance with the new requirements.

Correct answer: B

Explanation

The first step in addressing new security requirements is to perform a gap analysis to identify where current security measures fall short. This analysis informs the organization of the specific areas that need attention, which is essential before integrating changes into the policy or developing implementation plans. The other options, while important, should follow after the gap analysis to ensure compliance effectively.